Ask or search…

Certificate Connector

This page compares SCEPman and the Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) in terms of deployment and operational efforts.
Microsoft CA with PKCS
Set-up Effort
< 30 minutes
> 2 - 3 days
  • CDP* design and implementation
  • Certificate Templates configuration
  • Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...
> + 2 days
In addition to PKCS:
  • Additional server(s) for NDES
  • One NDES server for each type of certificate
  • Two additional Certificate Templates
  • Difficult to debug
PKI Maintenance
In addition to PKCS:
  • Manual Enrolment Agent certificate renewal
Server Maintenance
  • Operating system updates
  • Monitoring
In addition to PKCS:
  • Operating system updates and monitoring for at least one additional server
Certificate Management Issuance, renewal, revocation
  • Fully-automated enrolment and renewal
  • Manual revocation (difficult to search the database)
Like PKCS.
Singular Design
  • App Service SLA: > 99.95 % Uptime
Redundant Design
  • Traffic Manager SLA: > 99.99 % Uptime
Multiple failure modes:
  • Virtualization platform
  • Operating system
  • CDP webserver
Redundant Design
  • Standby CA server
  • Additional CDP webservers
  • Standby server for backup Certificate Connector
Like PKCS.
Redundant Design
  • Additional NDES servers
Like PKCS.
  • Further effort for duplicating NDES servers
  • SCEPman is stateless for core functionality, i.e. no backup is required.
  • SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
  • Optional Storage Account can be backed-up automatically.
  • Regular CA database backups
  • CA key and configuration backup (high compliance and security requirements)
Like PKCS.
  • Designed based on Zero-Trust approach (cloud-native)
  • Use of state-of-the art authentication schemes
  • Automatic certificate revocation in real-time with OCSP (human error impossible)
  • Designed for on-premises use
  • Susceptible for "certifried attack"
  • Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
  • Increased attack surface due to usage of on-premises and cloud accounts
  • Actuality of CRL depends on refresh interval
  • OCSP is based on CRL and not realtime
Like PKCS.
  • Use of standardized interfaces (SCEP, OCSP, REST)
  • Support of multiple MDM solutions
  • Only Intune is supported
  • Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients
  • Support of multiple MDM solutions possible (additional NDES instance required)
*: CRL Distribution Point