Certificate Connector
Comparing Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) and SCEPman in terms of deployment and operational efforts.
Last updated
Was this helpful?
Comparing Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) and SCEPman in terms of deployment and operational efforts.
Last updated
Was this helpful?
Was this helpful?
Set-up Effort
< 30 minutes
3-step deployment procedure for core functionality
> 2 - 3 days
CDP* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...
> + 2 days
In addition to PKCS:
Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Difficult to debug
PKI Maintenance
Monitoring of the Certificate Connector
In addition to PKCS:
Manual Enrolment Agent certificate renewal
Server Maintenance
Operating system updates
Monitoring
In addition to PKCS:
Operating system updates and monitoring for at least one additional server
Certificate Management Issuance, renewal, revocation
Fully-automated enrolment and renewal
Manual revocation option
Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)
Like PKCS.
Availability
Singular Design
App Service SLA: > 99.95 % Uptime
Redundant Design
Traffic Manager SLA: > 99.99 % Uptime
Multiple failure modes:
Virtualization platform
Operating system
CDP webserver
Redundant Design
Standby CA server
Additional CDP webservers
Standby server for backup Certificate Connector
Like PKCS.
Redundant Design
Additional NDES servers
Scalability
No autoscaling
Scaling requires CA cluster
Like PKCS.
Further effort for duplicating NDES servers
Backup
SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.
Regular CA database backups
CA key and configuration backup (high compliance and security requirements)
Like PKCS.
Security
Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)
Designed for on-premises use
Susceptible for "certifried attack"
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime
Like PKCS.
Requires inbound access to NDES (tier 0 asset)
Flexibility
Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions
Only Intune is supported
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients
Support of multiple MDM solutions possible (additional NDES instance required)
*: CRL Distribution Point