| | CDP* design and implementation Certificate Templates configuration Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...
| Additional server(s) for NDES One NDES server for each type of certificate Two additional Certificate Templates
|
| | Monitoring of the Certificate Connector
| Manual Enrolment Agent certificate renewal
|
| | | Operating system updates and monitoring for at least one additional server
|
Certificate Management
Issuance, renewal, revocation | Fully-automated enrolment and renewal
| Fully-automated enrolment and renewal Manual revocation (difficult to search the database)
| |
| App Service SLA: > 99.95 % Uptime
Traffic Manager SLA: > 99.99 % Uptime
| Additional CDP webservers Standby server for backup Certificate Connector
| |
| | Scaling requires CA cluster
| Further effort for duplicating NDES servers
|
| SCEPman is stateless for core functionality, i.e. no backup is required. SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant). Optional Storage Account can be backed-up automatically.
| Regular CA database backups CA key and configuration backup (high compliance and security requirements)
| |
| Designed based on Zero-Trust approach (cloud-native) Use of state-of-the art authentication schemes Automatic certificate revocation in real-time with OCSP (human error impossible)
| Designed for on-premises use Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet Increased attack surface due to usage of on-premises and cloud accounts Actuality of CRL depends on refresh interval OCSP is based on CRL and not realtime
| |
| Use of standardized interfaces (SCEP, OCSP, REST) Support of multiple MDM solutions
| Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients
| Support of multiple MDM solutions possible (additional NDES instance required)
|