LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page

Was this helpful?

  1. Other
  2. FAQs

Certificate Connector

Comparing Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) and SCEPman in terms of deployment and operational efforts.

Last updated 20 days ago

Was this helpful?

Category
SCEPman
Microsoft CA with PKCS
NDES with SCEP

Set-up Effort

< 30 minutes

  • for core functionality

> 2 - 3 days

  • CDP* design and implementation

  • Certificate Templates configuration

  • Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

  • Additional server(s) for NDES

  • One NDES server for each type of certificate

  • Two additional Certificate Templates

  • Difficult to debug

PKI Maintenance

  • Monitoring of the Certificate Connector

In addition to PKCS:

  • Manual Enrolment Agent certificate renewal

Server Maintenance

  • Operating system updates

  • Monitoring

In addition to PKCS:

  • Operating system updates and monitoring for at least one additional server

Certificate Management Issuance, renewal, revocation

  • Fully-automated enrolment and renewal

  • Manual revocation option

  • Fully-automated enrolment and renewal

  • Manual revocation (difficult to search the database)

Like PKCS.

Availability

Singular Design

  • App Service SLA: > 99.95 % Uptime

Redundant Design

  • Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

  • Virtualization platform

  • Operating system

  • CDP webserver

Redundant Design

  • Standby CA server

  • Additional CDP webservers

  • Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

  • Additional NDES servers

Scalability

  • No autoscaling

  • Scaling requires CA cluster

Like PKCS.

  • Further effort for duplicating NDES servers

Backup

  • SCEPman is stateless for core functionality, i.e. no backup is required.

  • SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).

  • Optional Storage Account can be backed-up automatically.

  • Regular CA database backups

  • CA key and configuration backup (high compliance and security requirements)

Like PKCS.

Security

  • Designed based on Zero-Trust approach (cloud-native)

  • Use of state-of-the art authentication schemes

  • Automatic certificate revocation in real-time with OCSP (human error impossible)

  • Designed for on-premises use

  • Susceptible for ""

  • Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet

  • Increased attack surface due to usage of on-premises and cloud accounts

  • Actuality of CRL depends on refresh interval

  • OCSP is based on CRL and not realtime

Like PKCS.

  • Requires inbound access to NDES ()

Flexibility

  • Use of standardized interfaces (SCEP, OCSP, REST)

  • Support of multiple MDM solutions

  • Only Intune is supported

  • Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

  • Support of multiple MDM solutions possible (additional NDES instance required)

*: CRL Distribution Point

3-step deployment procedure
Automatic health monitoring in Azure
CDP Monitoring
Automatic updates / patches
Fully-automated revocation
Autoscaling or manual scaling with a few clicks
Serve any number of clients with one SCEPman CA.
Complex manual scaling
certifried attack
tier 0 asset