CDP* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...
Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Manual Enrolment Agent certificate renewal
Operating system updates and monitoring for at least one additional server
Issuance, renewal, revocation
Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)
App Service SLA: > 99.95 % Uptime
Traffic Manager SLA: > 99.99 % Uptime
Additional CDP webservers
Standby server for backup Certificate Connector
Further effort for duplicating NDES servers
SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.
Regular CA database backups
CA key and configuration backup (high compliance and security requirements)
Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)
Designed for on-premises use
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime
Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients
Support of multiple MDM solutions possible (additional NDES instance required)