FAQ

Product Features

Keycloak enables the flexible use of various authentication protocols through a central sign-in and sign-out function for all MTG ERS® applications (CLM, PKI, KMS):

Support for OpenID Connect and SAML
Support for Google reCAPTCHA to protect against bot sign-ins
Multi-factor authentication with OTP for additional security (TOTP, HOTP)
Strong authentication with X.509 certificates
Configurable password policies with options for length, characters, complexity, etc.
Configurable authentication workflows, allowing fine-tuning of each individual login process
LDAP, Active Directory, and other Kerberos integrations available
Support for the latest W3C specification for web authentication (WebAuthn)

Import Certificates – Can I Import All Certificates into CLM?

Importing your company’s certificates into the central certificate management system is always possible manually. If automation options are available, the import process can be made even simpler.

Create a Certificate – How to Create a Certificate?

With the CLM, it’s very simple. We’ve prepared a video for this.

MTG Docs: Quickstart Guide “Issue your first certificate”

Reporting & Monitoring – What Can I Monitor with It?

Always keep track of the status of your certificates and avoid surprises.MTG CLM offers a comprehensive notification system for changes in certificate status. Users are notified well in advance and multiple times before certificates expire, ensuring timely and smooth renewals.

Comprehensive, user-friendly dashboards provide insights into the certificate status across different business units, allowing for a quick overview.
Advanced filtering and search functions enable easy identification and display of results, which can then be easily exported in CSV format for further processing.
Event logging in a central log accessible to CLM administrators allows tracking of activities within the application.

Roles and Permissions – What Can I Configure?

The roles and permissions management can be centrally administered and offers detailed settings for configuring the permissions of CLM users, such as restricting permissions to defined realms or policies.

User-Specific Settings: Configure permissions for individual users, entire business units, or specific policies.
Realm Organization: Organize access rights for digital certificates by creating different realms based on departments, user groups, or hierarchies.
Access Levels: Set up different users with read-only or configuration rights for certificates.
Custom Notification Rules: Customize notification rules according to individual needs.
Adaptive User Interface: The user interface adapts to the respective settings, providing a tailored experience for each user.

MTG Docs: User Guide “Authentication”

Policies – How Can I Prevent Misconfigurations with Certificate Templates?

Policies include a comprehensive set of rules required for configuring various certificates, ensuring entries are complete, error-free, and compliant. Here’s how to effectively use certificate templates to prevent misconfigurations:

Standardized Templates:
- Policies allow the creation of individual templates for emails, servers, networked hardware, or mobile devices.
- The MPKI provides a selection of pre-configured policies covering most common use cases, requiring no additional customer actions.
Restrict Selection to Approved Algorithms:
- Limit the choice to only approved algorithms to maintain security standards.
Restrict to Approved Key Materials:
- Ensure only approved key materials are used to prevent weak cryptographic implementations.
Set Certificate Validity Period:
- Define the validity duration of certificates to ensure compliance with organizational policies.
Manual or Automatic Approval Options:
- Choose between manual or automatic approval processes for certificate requests based on security needs.
Establish Four-Eyes Principle:
- Implement a four-eyes principle for additional security and oversight in certificate issuance.

Customizing PoliciesDepending on the use case of a certificate, specific requirements can be implemented through policies tailored to the scenario.

Predefined Policies: Each Managed PKI instance comes with a selection of predefined policies for standard scenarios that can be customized and adopted.
Custom Policies: Additional policies can be created by cloning and adjusting existing policies or defining new ones from scratch.

Expert SupportIf specific templates are needed or existing ones need adjustments, our PKI experts are available through consulting services to assist with the design and setup of these templates, ensuring they meet your unique requirements.

Policies – Are There Existing Templates I Can Use for Common Use Cases?

Each Managed PKI instance comes with a selection of predefined policies for standard scenarios that can be customized and adopted. Upon delivery, you will find the following standard policy templates:

SSL/TLS Server, ACME: Standard TLS certificates for web servers.
Machine, SCEP, EST, CMP: Certificates for network devices (e.g., switches, routers, printers, etc.).
Person, S/MIME Email: Secure email (S/MIME), VPN access security, secure login.
Person Active Directory: AD certificates for users, issued as part of the autoenrollment process.
Code Signing: Code signing certificates.

If you provided specific details about automation protocols in the onboarding form, additional suitable templates will be activated.Customizing and Creating Policies

Cloning and Adjusting: Policies can be created by cloning an existing policy and adjusting individual values to meet specific requirements.
Creating New Policies: It is also possible to define completely new policies tailored to unique needs.

These predefined templates and customization options ensure that your PKI can accommodate a wide range of common and specific use cases.

Public Certificates – Can I Use Public Certificates and Even Purchase Them Directly?

Public certificates are essential for secure communication with external entities. To simplify the application, import, and management processes, it is recommended to integrate the public CA with the CLM. Currently, integration with the Public CAs by PSW Group and GlobalSign are supported. Plans are underway to provide central access to all major public CA providers. Additionally, other public CA providers can be integrated upon request.

Realms – How Can I Organize My PKI by Business Units?

Setting up different business units is straightforward. The MTG CLM allows for an individualized organization of access rights for digital certificates. Here’s how you can manage it:

1. Create Realms:

- Define and create separate realms for each business unit, department, or user group. Realms act as isolated environments within the PKI system, ensuring tailored configurations and management specific to each division.

2. Assign Roles and Permissions:

- Use the roles and permissions system to manage access within each realm. This enables department-specific self-services without the need for constant intervention from a central PKI administrator.

3. Department-Specific Self Services:

- Enable business units to manage their certificates independently, facilitating faster response times and reducing the workload on central administration.

4. Custom Policies and Templates:

- Assign custom policies and certificate templates to each realm, ensuring that each business unit adheres to its specific requirements and standards.

This structured approach enhances security and operational efficiency by decentralizing PKI management while maintaining centralized oversight and control.

Control & Approval – Can I Control Who Can Create Certificates?

The software offers options for manual or automatic approval of certificate requests. Additionally, the establishment of a four-eyes principle is possible.

HSM – Do I Need a Hardware Security Module (HSM) for my PKI?

Using HSMs to protect private keys is, in our opinion, a MUST for IT security. A Hardware Security Module (HSM) is required whenever cryptographic keys in infrastructures need to be exceptionally well-protected against attacks on both software and hardware. HSMs generate and manage cryptographic keys, thereby securing digital identities. As such, HSMs serve as the trust anchor for protecting digital data.

Secure management of cryptographic keys is mandated by all regulations that require IT security according to the state of the art. This includes requirements from the GDPR, DIN ISO 27001, and NIS2. In sensitive areas, such as critical infrastructure sectors, HSMs have become the de facto standard.

The customer-specific signing keys of the MTG PKI software are secured via an nShield Hardware Security Module from Entrust. There is an HSM at each of the Darmstadt and Frankfurt locations, which are clustered via an RFS server (RFS = Remote File System). Entrust nShield Connect HSMs are certified according to FIPS 140-2 Level 3 and Common Criteria EAL4+ (EN 419 221-5).

Access Rights – How Can I Protect My Identity and Access Management with My PKI?

Digital certificates provide an additional layer of authentication and security that goes beyond simple password knowledge, requiring possession of a secret value associated with the certificate.

Digital certificates can be used for the authentication and authorization of users and devices in various corporate networks. Typical examples include Windows users, computers, laptops, firewalls, routers, switches, and IoT devices.

Certificate-based authentication methods are often implemented in Microsoft environments. Microsoft Active Directory (AD) offers a central platform for managing user identities, access rights, and policies. For example, an AD can implement certificate-based authentication and authorization of users in local networks, such as a WLAN, when used in conjunction with an authentication server (e.g., RADIUS, Remote Authentication Dial-In User Service).

Network Security – How Can I Secure Networks with My PKI?

In VPNs (Virtual Private Networks), PKIs are used to authenticate the identities of communicating parties and establish a secure, encrypted connection over public networks. This is crucial for protecting sensitive corporate data during remote access by employees to company resources, such as when working from home. Digital certificates can also secure connections between corporate locations. Furthermore, using certificates improves the scalability of the VPN service, as they are easy to manage and distribute, even as the number of users or devices grows.

NAC – What is Network Access Control (NAC)?

This security mechanism uses certificates to control the access of endpoint devices to a company’s network infrastructure. Endpoint devices include PCs, laptops, printers, and mobile devices. Access to the company’s network infrastructure (LAN/WLAN) is granted only after successful authentication of the devices with a valid certificate. The certificates must be presented at the network entry point (switch or WiFi access point) and authenticated by a RADIUS server. The network entry point is only activated after successful authentication.

Email Encryption – Can I Encrypt Emails with Certificates?

Email certificates are an important tool for enhancing secure email communication within a company or between companies. They enable employees to digitally sign their emails, guaranteeing the integrity and authenticity of the message. Additionally, these certificates allow for the encryption of emails, protecting sensitive information from unauthorized access. Public certificates from Public CA providers are often used for this purpose. Secure email communication can be achieved either end-to-end or through the use of central email gateways.

SSL/TLS – Can I Use SSL/TLS Web Server Certificates?

SSL/TLS certificates are essential for securing web applications and services. They use certificates from a public certification authority (Public CA), whose validity can be verified by all participants on the internet. With a large number of certificates, a Certificate Lifecycle Management (CLM) system can help reduce the effort and costs associated with managing certificates.

Securing Mobile Devices – How Can I Secure My Mobile Devices?

Mobile Device Management (MDM) platforms are used to manage and secure mobile devices within a company. A PKI plays a crucial role in securing communication between mobile devices, apps, users, and corporate services. A PKI with integrated CLM can optimize the deployment and management of digital certificates on mobile devices, ensuring secure access to corporate resources.

Digital Signatures – Can I Create Digital Signatures for My Documents?

Document signing certificates are used to verify the authenticity and integrity of documents. A Managed PKI solution can automate the issuance and renewal of these certificates, ensuring that signed documents (e.g., PDFs) are trusted by end users and stakeholders. PKIs enable the creation of digital signatures, which confirm the authenticity and integrity of electronic documents. This is often used for legal documents and contract signings.

Code Signing – How does code signing work with my PKI?

Digital certificates play a crucial role in code signing by enhancing the security, integrity, and trust in software products and/or firmware. They confirm the identity of the software publisher. Users can rest assured that the software actually comes from the specified company and not from an unknown or malicious actor. When software is signed, users can be confident that the code has not been altered since the signing. Any modifications to the code after signing would invalidate the digital signature, thereby protecting users from manipulated or infected software.

Use Cases in the Future – Can I implement all of my use cases with it in the long term?

All common use cases can be implemented with the 360° GSA offering. To achieve this, you can leverage the numerous technical interfaces, administrative features, and comprehensive consulting services. As we continuously evolve and update our system, our users also benefit from many new features or optional extensions.

Certificate Discovery – How can I systematically search for (hidden) certificates in my company?

The Certificate Discovery feature allows for systematic scanning for unknown private and public server certificates. The scanning process enables a network scan for SSL/TLS certificates, a discovery functionality that automatically searches LDAP and Active Directory instances for certificates, and a search in Certificate Transparency Logs. The discovered certificates are then imported into the CLM. This functionality will significantly ease the management of Microsoft certificates in the CLM.Automatically identify and import all certificates into your system without additional manual effort. Quickly and easily create a digital inventory of all public and private TLS/SSL certificates within the company. Gain a comprehensive and visual overview of all deployed certificates and their associated devices. Identify unknown certificates in your environments as well. Analyze potential risks by identifying and listing the deployed certificates with the used and potentially problematic cryptographic primitives.You can find all the necessary steps to scan your certificates in the company in the online documentation.

Certificate Revocation – Why do I need OCSP and CRL Responders?

For reliable and high-performance certificate revocation, customers often inquire about specific OCSP and CRL functionalities from a PKI provider. MTG Managed Corporate PKI fully meets these functions:

OCSP Responder according to RFC 6960
OCSP Stapling according to RFC 6961
LDAP and HTTP CRL Distribution Point Support

Root CA – Do I have my own Root CA?

The highest trust authority in a PKI is the Root Certification Authority (Root CA). This Root CA signs one or more subordinate Sub Certification Authorities (Sub CAs) with its private key. This ensures that the certificate issuing entity, the Sub CA, is trustworthy. A Root CA contains highly sensitive key material. That’s why it’s important for every customer to set up their own Root CA and protect the key material in Hardware Security Modules.

Multiple Root CA – Can I set up multiple Root CAs?

If necessary, two or more Root CAs can also be set up. This may be necessary in certain cases, for example, if different key algorithms are to be used (for example, elliptic curves for certain industry standards and RSA for standard applications such as S/MIME).

Offline Root CA – When do I need an offline Root CA?

An Offline Root CA is a very special case that requires additional manual effort from the service provider. An offline Root CA is a special variant that must be kept in a highly secure environment and is only activated when setting up additional Sub-CAs (which is very rare, if ever). The offline mode provides extremely strong protection against unauthorized access. An offline Root CA should only be used when particularly high requirements for IT security are imposed, which the customer must meet, for example, due to regulatory requirements.

Sub-CA – Do I have my own Sub-CA?

Under a Root CA, multiple Sub-CAs can be set up if needed. This can be helpful, for example, if a stronger separation of business units within a company is required.

Multiple Sub-CAs – When do multiple Sub-CAs make sense?

Under a Root CA, multiple Sub-CAs can be set up if needed. This can be helpful, for example, if a stronger separation of business units within a company is required.

Audit Log – Can I log everything for my security?

The traceability of all CA activities is an important quality characteristic demanded within certifications and standards. In the event of a security incident, this data serves as evidence of fulfilling due diligence obligations. For this purpose, the 360 Managed PKI & CLM provides a detailed audit log.

Documentation – Is there (online) documentation available?

All customers have access to comprehensive online documentation. This documentation is also provided upon successful activation of the free online demo.

Automation – What can I automate with the 360° Managed PKI & CLM?

Comprehensive automation interfaces save time, money, and reduce error susceptibility. With the CLM, all processes for certificates originating from connected CAs can be automated: Currently, these are the MTG, Microsoft, GlobalSign, and Telekom CAs. The major advantage for Microsoft CA users is the ability to automate processes outside the Microsoft world.

What can be automated?

Automation of certificate support for all major PKI interfaces:
Linux-based servers using ACME
Network devices using SCEP, EST & CMP
All other systems using REST & CLI Client
Mobile devices using SCEP protocol

Autoenrollment – Is it possible to connect my Public CA or my PKI to Microsoft Active Directory?

With the CLM Autoenrollment Connector, you can establish a connection between your Public CA or the MTG PKI and Microsoft Active Directory. This allows you to replace your Microsoft PKI (ADCS) with minimal effort!Start using the future-proof MTG PKI immediately for a wider range of application scenarios within and outside the Windows environment. Maintain all established and automated Windows processes for issuing, renewing, and deploying certificates in the Microsoft Active Directory.Additionally, integrate a Public CA for the use of public certificates within your automated Windows processes.The introduction of the Autoenrollment component depends heavily on the customer’s specific application scenario. Therefore, numerous additional services on the customer side are necessary before use. MTG provides support, if needed, for integrating the Microsoft PKI with the MTG PKI.For easier integration, a test simulator can be provided upon request, which is installed locally to test all options. The simulator is a Java application that simulates a simple PKI. This significantly aids in autonomously testing the MS integration of the Autoenrollment Connector.

Offer & Billing

Professional Package – Who is it suitable for?

This package is suitable for customers who wish to continue using their Microsoft PKI (ADCS) and expand it with a CLM. The management and monitoring of their certificates are to be optimized with it. The package is also interesting for customers who want to manage many Public CA certificates with a CLM. For this purpose, we offer the integration of Public CAs via GlobalSign or via PSW Group.

Ultimate Package – Who is it suitable for?

The Ultimate Package is suitable for all customers who want to replace their Microsoft PKIs with little effort in order to simplify certificate management and quickly and easily implement more use cases. It is also suitable for customers who do not yet have a PKI but want to establish and manage their certificate-based processes with as little expertise as possible. This offer is also suitable for customers who do not want to operate a private PKI in their own data center. This may apply to new customers who want or need to use a PKI for the first time, or to those who already have one but no longer want to operate it themselves.

Billing Model – How is billing done?

There is a monthly base fee that already includes 50 certificates. Depending on the selected package, the base fee may vary slightly. Larger packages can also be ordered as needed. The average certificate price decreases more significantly the larger the chosen certificate package. Billing is done monthly. If more certificates are used than ordered, the certificate package will be adjusted accordingly.

Cost Planning – What costs can I expect?

We would be happy to provide prices for the certificate packages upon request. The certificate package price includes all important cost components. Depending on prior knowledge and available PKI know-how, a budget may need to be allocated for the analysis and implementation of use cases. To make this planning feasible even without PKI experience, we offer a free two-month Proof-of-Concept. In addition, a free kick-off meeting with our PKI experts is held. Here, all questions can be clarified, and the specific external consulting needs in all phases of the project can be determined. Based on this, you will receive an offer and can budget for the analysis, implementation, and even for the subsequent operational phase. After the free trial period, all certificate-based processes that have been implemented can be transitioned into operational use.

Microsoft PKI (AD CS)

AD CS – Isn't my free MS PKI completely sufficient?

If you want to use a modern PKI, you should consider alternatives to Microsoft PKI (ADCS). Our experience shows that two main motivations drive companies to switch from a free Microsoft PKI to a more modern solution:

Better Certificate Lifecycle Management: Modern PKI solutions offer more comprehensive and automated tools for managing the lifecycle of certificates. This includes issuance, renewal, revocation, and monitoring of certificates, significantly reducing administrative overhead and increasing security.
More Use Cases with Less Effort: A more modern PKI can support a wider range of use cases, often with significantly less effort. These include advanced integrations, support for mobile devices, IoT security, and cloud environments. This allows your company to flexibly respond to new requirements and technological developments.

For further details and well-founded answers on this topic, please refer to the linked article, which has also informed the creation of these FAQs. It is important to carefully assess your specific needs and the future requirements of your company to choose the best PKI solution.
Limits of Microsoft Active Directory Certificate Services – Uwe Gradenegger

Certificate Lifecycle Manager – Can I integrate my MS PKI with the CLM?

Yes, it is possible to seamlessly integrate the Microsoft CA (AD CS) with the CLM. This allows you to leverage your existing Microsoft CA for additional, non-Windows-specific use cases, such as issuing certificates for Linux servers via ACME.

For customers using a Microsoft PKI, two options are available:

Professional Package: Your Microsoft PKI continues to operate, and the CLM also manages certificate-based processes. This enables centralized management and automation of certificates, enhancing efficiency and security.
Ultimate Package: If the CLM Autoenrollment Connector is used with the Ultimate Package, the Microsoft PKI can be fully replaced by the MTG PKI without the need to change Active Directory-based processes. This provides seamless integration and allows you to benefit from the advanced features and greater flexibility of the modern PKI.

These options offer you the opportunity to leverage the benefits of a modern PKI while continuing to use or gradually replace your existing infrastructure.

Microsoft AD CS Migrationschart

Migration – Can I replace my MS PKI with the 360° Managed PKI & CLM without any friction loss?

With the CLM Autoenrollment Connector, you have a connection from your Public CA or the MTG PKI to Microsoft Active Directory. This allows you to replace your Microsoft PKI (AD CS)!

Start using the future-proof MTG PKI immediately for a wider range of application scenarios within and outside the Windows environment.
Maintain all established and automated Windows processes for issuing, renewing, and deploying certificates in the Microsoft Active Directory.
Additionally, integrate a Public CA for the use of public certificates within your automated Windows processes.

The introduction of the Autoenrollment component heavily depends on the customer’s specific application scenario. Therefore, numerous additional services on the customer’s side are necessary before use. If needed, 360° GSA provides support for integrating the Microsoft PKI with the MTG PKI.

For easier integration, a test simulator can be provided upon request, which is installed locally to test all options. The simulator is a Java application that simulates a simple PKI. This significantly aids in autonomously testing the MS integration of the Autoenrollment Connector.

Microsoft AD CS Migrationschart

Certificate Lifecycle Management – Does MS AD CS have a CLM?

The Microsoft CA (ADCS) can manage certain certificates, but the scope of additional capabilities is limited. Those in need of comprehensive Certificate Lifecycle Management (CLM) should look for suitable extensions, such as our offering.

A modern CLM offers numerous advantages, including:

Web-based User Self Services: These allow users to manage certificates independently, significantly reducing administrative overhead.
Flexible Customizable Certificate Policies: These enable precise customization of certificate policies to meet the specific requirements of your organization.
Detailed Configuration Options: These allow for the exact definition of roles and permissions to meet security requirements and compliance mandates.

With a modern CLM, you can not only manage the lifecycle of your certificates more efficiently but also significantly enhance the security and flexibility of your IT infrastructure.

Use Cases with AD CS – Can I implement all Use Cases with the MS PKI?

We cannot answer that question definitively. To our knowledge, the Active Directory Certificate Services (ADCS) currently do not support the following interfaces:

Enrollment over Secure Transport (EST)
Automatic Certificate Management Environment (ACME) (although there are third-party solutions available)
Certificate Management Protocol (CMP)
REST or SOAP-based interfaces for certificate requests are also not available.

There are specialized providers on the market that can fill these gaps with licensable components. However, our current 360° Managed PKI & CLM offering covers all the above components at no additional cost in both the Professional and Ultimate packages.

This means that with our solution, you receive comprehensive support for various use cases without having to worry about additional costs or compatibility issues. This ensures that your PKI meets all current and future requirements.

Maintenance & Updates – How current is the MSPKI?

The Active Directory Certificate Services (AD CS) have essentially existed (albeit under different names) since Windows NT 4.0. The architecture based on Active Directory that is used today was introduced with Windows 2000 Server.

AD CS are well integrated into the Windows ecosystem and continue to enjoy widespread popularity in organizations and agencies of all sizes worldwide. This long-standing integration and widespread use speak to the reliability and stability of the Microsoft PKI.

However, this also means that the underlying technology and some of the implemented protocols may not reflect the latest innovations and security standards. To meet modern security requirements and benefit from the latest developments in cryptography and PKI technology, supplementing or replacing with a more modern PKI solution may be advisable.

A modern PKI not only provides higher security and better automation features but also offers comprehensive support for current and future use cases in hybrid and cloud-based environments.

Windows Server & Certification Authority – Can I operate multiple Certification Authorities on one server with the MSPKI (ADCS)?

No, with the Active Directory Certificate Services (ADCS), it is necessary to operate a complete Windows Server instance for each logical Certification Authority (CA). Depending on the size of the organization, it may be advisable to separate and limit CAs based on their purpose.Furthermore, there are often multiple Active Directory environments and CA hierarchies. This inevitably leads to a higher number of CA servers, all of which need to be managed, hardened, updated, maintained, and financed.However, from a PKI technology perspective, it is technically possible to operate multiple CAs on the same server, thus saving costs. Leading PKI specialists enable this seamlessly nowadays. By using modern PKI solutions, you can reduce the number of required server instances, simplify management, and lower operating costs.

High Availability – Is real high availability supported?

The Certification Authority database in Active Directory Certificate Services (AD CS) is implemented as a monolithic structure per server. This means that it cannot be consolidated across multiple Certification Authorities and must be operated directly on the respective Certification Authority servers.

The Certification Authority database does not support database replication for true clustering. In the current cluster implementation, only one cluster node can and should access the database files through the file system. This significantly limits the possibilities for implementing true high availability.

However, modern PKI solutions offer advanced options for high availability, including database replication and support for true cluster environments. This ensures that your PKI infrastructure remains available and reliable even in the event of failures of individual components.

By deploying a modern PKI solution, you can significantly improve the availability and resilience of your certification services.

Certificate Templates – Is there Active Directory integration and certificate templates?

Yes, certificate templates are stored in Active Directory. However, there are some limitations:

Automatic creation and editing: There is no official method for automatically creating and editing certificate templates. This means that changes must be made manually, which can be time-consuming and error-prone.
Global configuration: The configuration of certificate templates affects all issued certificates from a specific Certification Authority. If differentiated handling is required, an additional Certification Authority needs to be set up.
Additional resources: Setting up additional Certification Authorities requires deploying additional Windows servers, resulting in additional costs and administrative overhead.

Modern PKI solutions offer much more flexibility and automation in this regard. They allow for finer granularity in managing certificate policies and templates and support automatic processes for creation and management. This significantly reduces administrative overhead and minimizes the risk of errors. By deploying a modern PKI, you can optimize certificate integration and management, reduce operating costs, and enhance the efficiency of your IT infrastructure.

Availability – What happens to availability when configuration changes are made?

When configuration changes are made to a Certification Authority, it requires a restart of the service. This results in a temporary interruption in the availability of the Certification Authority.

This interruption can be critical, especially if the Certification Authority is frequently used or if the changes need to be made during important operational hours. Modern PKI solutions offer advantages in this regard through features such as:

No restart required: Many modern PKI systems allow configuration changes to be made without requiring a service restart. This minimizes downtime and ensures continuous availability.
Redundant configuration: Some solutions provide the option to make and test changes on a redundant instance before going live. This ensures that the primary instance remains available.
Automated rollbacks: In case of an error, modern PKI systems can perform automatic rollbacks to the previous configuration to quickly return to full functionality.

By deploying a modern PKI solution, you can maximize the availability of your certification services while increasing flexibility and efficiency in managing and configuring your PKI infrastructure.

Certificate Policies – Can I create them with the AD CS Policy Module?

Yes, but the standard policy module from Windows does not allow the creation of rules for manual certificate requests. This often results in errors during certificate issuance, such as missing attributes, unrecognized syntax errors, the possibility of multiple CNs, and incorrect issuances that can have security implications.

PKI Migration – Can I retain all my Active Directory settings during the PKI migration?

With the CLM Autoenrollment Connector, you have a connection from your 360° Managed PKI & CLM to the Microsoft Active Directory. This allows you to replace your Microsoft PKI (ADCS) with minimal effort!

Start using the future-proof MTG PKI immediately for a wider range of scenarios both within and outside the Windows ecosystem.
Retain all established and automated Windows processes for issuing, renewing, and deploying certificates within the Microsoft Active Directory.
Additionally, integrate a Public CA for utilizing public certificates within your automated Windows processes.

The introduction of the autoenrollment component heavily depends on the customer’s specific scenario. Therefore, numerous additional services are required on the customer’s side before use. MTG provides support, if needed, for integrating the Microsoft PKI with the MTG PKI.

For easier integration, a test simulator can be provided upon request, which is installed locally to test all options. The simulator is a Java application simulating a simple PKI, significantly aiding in autonomously testing the MS integration of the autoenrollment connector.

AD CS Interface Support – Does AD CS support common interfaces required for modern PKI operations?

A key interface for certificate enrollment in ADCS is RPC/DCOM or MS-WCCE, which is proprietary and more optimized for on-premise environments and less so for the cloud-native world. This interface is restricted to Active Directory authentication methods. Another essential interface is SCEP, which, however, often leads to increased complexity in implementing certain automation processes.
To our knowledge, ADCS currently does not support the following important interfaces:

Enrollment over Secure Transport (EST)
Automatic Certificate Management Environment (ACME) (though third-party solutions exist)
Certificate Management Protocol (CMP)
REST or SOAP-based interfaces for certificate enrollment are also unavailable.

There are specialized providers in the market that can address these gaps with licensable components. Our current 360° Managed PKI & CLM offering covers all the mentioned interfaces and features at no additional cost in the Professional and Ultimate packages.
This modern PKI solution allows you to utilize common interfaces and supports automation and integration into various IT environments, including cloud services, significantly enhancing your flexibility and efficiency.

Network Device Enrollment Service (NDES) – What do I need to consider with the Network Device Enrollment Service (NDES), are there any issues or limitations?

The Network Device Enrollment Service (NDES) has several limitations that should be considered during implementation and usage:

Lack of policy definition: NDES does not allow the definition of specific policies for certificate enrollment. This means that each combination of Certification Authority, certificate template, and password policy must be individually configured.
Separate server instances: Each combination of Certification Authority, certificate template, and password policy requires its own paid Windows Server instance. This can lead to significant additional costs and administrative overhead.
No high availability: High availability is not possible with NDES because there is no replication mechanism for one-time passwords. A server failure would therefore result in an interruption of certificate services.
Outdated CSP interfaces: NDES uses outdated Cryptographic Service Provider (CSP) interfaces, limiting the use of modern cryptographic techniques and technologies.
No support for elliptic curves: NDES does not support elliptic curves, which are used in many modern cryptographic applications. This can affect the security and efficiency of your PKI.

For a modern and future-proof PKI implementation, you should consider exploring alternative solutions that do not have these limitations. Modern PKI solutions offer more extensive features, better scalability, high availability options, and support for current cryptographic standards, including elliptic curves.

OCSP – Can I use an Online Responder without any issues?

Since the certification authority servers are members of the Active Directory, they can be compromised in various ways, such as through group policies, unauthorized accounts logging in with administrator rights, or compromised service accounts.

The same applies to the publication of Certificate Revocation Lists (CRLs) and the request for OCSP response signing certificates. These are authenticated using Active Directory mechanisms. Security-critical CRL and OCSP servers, often connected to the Internet, are therefore usually located in the same Active Directory forest as the certification authorities and are often administered using the same accounts. This increases the risk that compromising a CRL or OCSP server also jeopardizes the certification authorities.

Modern PKI solutions offer advanced security mechanisms to mitigate these risks, including:

Isolated environments: OCSP responders and CRL servers can be operated in isolated environments separate from the certification authorities to prevent the spread of compromises.
Stronger authentication mechanisms: Implementing multi-factor authentication and role-based access control reduces the risk of unauthorized access.
Regular security audits: Regular audits and security assessments can help identify and address potential vulnerabilities early on.
By using modern PKI technologies and best practices, you can significantly increase the security and reliability of your OCSP responders and certification authorities.

Access to the Active Directory – How can I protect access to the AD when using the MPKI?

Protecting access to your Active Directory (AD) is especially important when using the MTG PKI together with the MS AD Gateway. Here are some measures you can take to increase security:

Virtual Private Network (VPN): Use a VPN to ensure a secure and encrypted connection for accessing your network and AD. This is a fundamental measure to prevent unauthorized access.
Multi-Factor Authentication (MFA): Implement MFA for all users accessing the AD. This ensures that, in addition to the password, another form of identity verification is required, significantly enhancing security.
Network Access Control (NAC): Deploy NAC to control network access based on user roles, device types, and other criteria. NAC helps grant access only to authorized devices and users.
Segmentation and Microsegmentation: Divide your network into smaller, isolated segments. This restricts access to the AD to specific network segments and minimizes the spread of potential threats.
Least Privilege Principle: Ensure that users have only the minimum necessary rights required for their tasks. This reduces the risk of insider threats and inadvertent errors.
Monitoring and Logging: Implement comprehensive monitoring and logging mechanisms to detect unusual activities early and respond accordingly. Use Security Information and Event Management (SIEM) solutions for log analysis and management.
Hardened AD Servers: Secure your AD servers through specialized hardening measures. This includes removing unnecessary services, regular security updates, and using secure configuration standards.

By combining these measures, you can effectively protect access to your Active Directory and significantly enhance the security of your entire IT infrastructure.

Can I keep my ADCS and just use the CLM?

Yes, that’s possible without any issues.

Can I connect the Key Storage Provider to a Network Hardware Security Module (HSM) without restrictions?

The “Key Storage Provider” interface is not designed to work with network appliances. For example, if a Network Hardware Security Module (HSM) is used and the connection to it is temporarily interrupted, the Certification Authority service will no longer be able to access the private key of the Certification Authority. This leads to several issues:

Failed certificate requests: Since the Certification Authority service can no longer access the private key, all certificate requests fail until the connection is restored and the service is restarted.
Revocation list generation: Revocation lists also cannot be generated, affecting the management and enforcement of certificate revocations.

Microsoft Cloud PKI Intune

What is the Microsoft Cloud PKI for Microsoft Intune?

As of today, the Microsoft Cloud PKI is a solution designed to serve a single use case: the assignment, renewal, and distribution of certificates to devices managed through Intune. These devices must support SCEP and PKCS#7 for certificate distribution. Therefore, the range of device types that can be managed via Intune is limited (e.g., no servers or network devices). Whether there are plans to expand these capabilities in the future is currently unknown to us.

Where does this service run, and are there any potential limitations?

The entire service, with all its components and functions, runs in the cloud. There are no components that need to run on-premises or are required to be on-premises. This makes it a suitable solution for native cloud customers who no longer have any IT infrastructure in-house and expect limited functionality regarding certificates. For example, SSL/TLS or SMIME certificates cannot be issued, nor can certificates for systems not managed by Intune. Additionally, it is not possible to export certificates to use them on other systems.

Are there any limitations in the configuration?

You can create a maximum of two levels in the PKI, such as a Root CA and one level for Issuing CAs. However, it is possible to have the Root CA on-premises (BYOCA) and create the Issuing CA at Microsoft. Currently, there is another limitation: a maximum of 6 CAs can be created, and an existing one cannot be deleted by the user. If deletion is needed, a support call to Microsoft is required. Additionally, the current solution is limited regarding policies. Only one policy can be created for the certificates, and it applies to all issued certificates. Any changes to this policy (e.g., encryption or hash algorithms, or key lengths) would cause all certificates to be reissued and deployed.

What key lengths are available?

The CA can currently create RSA keys with lengths of 2048, 3072, or 4096 bits. The available hash algorithms include SHA-256, SHA-384, and SHA-512, which are sufficient for now. Technologies like Elliptic Curve are not available.

Does Microsoft Cloud PKI have Certificate Lifecycle Management?

Yes, but it is limited to a single use case: the assignment, renewal, and distribution of certificates to devices managed through Intune. Since Microsoft Cloud PKI can only serve devices managed through Intune that support the SCEP profile, a Certificate Lifecycle Management (CLM) is inherently provided. Certificates are automatically created, distributed, and renewed without user intervention, ensuring that expired (and forgotten) certificates are not an issue. Beyond the defined use case within Cloud PKI, no additional certificates can be created or distributed, so no further CLM is necessary for this application.

Is it possible to integrate your keys/HSMs?

Currently, the keys are managed through Azure HSMs, and no Azure subscription is required for this. The use of third-party HSMs is not possible at this time.

Is there a migration path from AD CS to Microsoft Cloud PKI?

No, because the Cloud PKI is not a successor to AD CS. It is a service specifically designed for the creation and distribution of certificates for a single use case: devices managed through Intune.

Consulting & Support

Scope of Consultation – Do I receive support for planning, operations, and further development?

Our PKI experts are available to assist you in every phase of planning, implementation, operation, and further development of your system, tailored to your level of expertise and needs.

Further Development – Can I flexibly evolve my PKI?

Our system is regularly updated and expanded with new features. The CLM has been designed to enable implementation of all essential PKI processes within the enterprise. Even if you start with a specific configuration and use cases, and granted permissions, you can always introduce new processes and use cases on your own. Of course, our PKI experts are also available to support you if needed.

PKI Planning – What questions do I no longer have to worry about with the 360 MPKI & CLM?

The implementation of a PKI, especially operating it in your own data center, is a challenging and complex task. It is recommended when specific use cases and requirements need to be addressed with individual customizations. However, depending on the use case, operating a PKI in-house may not be permissible for regulatory reasons. As an alternative, our 360° Managed PKI & CLM is available, requiring less effort in planning, preparation, and operational management. Our 360° Managed PKI & CLM is deployed faster, relieving users of the responsibility of configuring, backup concepts, ensuring resilience, access controls, and access rights. All of these tasks are handled by us as your service provider. We provide the infrastructure and offer flexibility for new requirements. Additionally, we handle software and security updates, adjustments to growing encryption requirements, and ensure a secure, certified environment. Expertise in PKI and IT security does not need to be built separately within the department. Your 360° Managed PKI & CLM is set up exclusively for you and covers the entire trust chain from root CA to sub-CA to end-user certificates. Scalability and key protection according to the latest technological standards are also part of our services. If needed, public certificates can be obtained through one or more connected public CAs, such as for public email certificates, to make them externally verifiable. CLM is an essential part of our offering and should be included in any PKI. Especially when selecting a Managed PKI provider, the location and proof of compliance with all relevant data protection requirements are decisive factors. If the service is provided from a third country outside the EU, the transmission and storage must comply with the GDPR data protection requirements. Public authorities are particularly under scrutiny in this regard. Your 360° Managed PKI & CLM comes from a service provider based in Germany, ensuring users the proven legal framework conditions.

Guide to implementing a PKI – eGovernment.de

On-site Service – Consultation for issues and topics that occur on-site at the customer's location

With our alliance partner XELANED, there is always the option to request on-site support.

Project Process & Onboarding

Free Trial Opportunities – What is the difference between the Online Demo and the Proof-of-Concept (PoC)?

The Online Demo can be requested, activated, and tested within a few clicks for trial purposes, and it remains active for 2 months. The Online Demo provides the full functionality of the commercial version, allowing you to test all planned use cases. However, after 2 months, the certificates issued during the trial period expire. The Proof-of-Concept differs from the Online Demo in that all configurations and use cases tested during the two-month trial can seamlessly transition into operational use. Activation of the trial period requires contacting our sales team and participating in a free preparatory workshop with our PKI experts.

Project Process – What does a typical project process look like with which milestones?

(1) Free Demo: You may have already tested the free online demo or contacted us directly. (2) Initial Consultation: In an initial conversation, we clarify where you stand. For example, do you want to replace your Microsoft PKI or perhaps extend it with a CLM? If you haven’t had a PKI before, do you plan to use one in the future? How many private and public certificates are planned? What is the purpose of the PKI, and what are the initial use cases? Are there regulatory requirements (e.g., NIS2, DORA…)? Is there a need for consultation, service, and operational support? etc. (3) After the initial conversation, we plan a follow-up appointment with you for a free kick-off workshop with our PKI experts. Here, the preparation of the free Proof-of-Concept takes place. (4) Free testing: You have 2 months to test on your own or can request our consultants for analysis, conception, and implementation. (5) Transition to operational mode: If you choose our offer, the test operation will seamlessly transition to operational mode. (6) We are available for further questions, developments, and support in operational mode.

Onboarding – How does it work?

If you have chosen our 360° Managed PKI & CLM, it will be ready for you shortly after the order is placed. Typically, activation occurs within 1-5 business days.

Deployment – Complexity & Installation Effort

Our customers don’t have to worry about much. The setup of the Managed PKI is done by our experienced PKI experts, who build and install the environment tailored to the customer’s needs, and then set up and configure the PKI according to the customer’s specifications. The essential information for this is collected via an onboarding form. Our customers provide details about the desired PKI hierarchy, based on which the CA certificates are created and the PKI is set up. Our PKI experts are available to provide guidance and support in completing both questionnaires. The implementation of certificate-based processes can be undertaken by the customer themselves or they can request our assistance. Training videos and comprehensive online documentation are available to support them in this process.
Managed PKI or on-premise strategy – Security-Insider.de

On-Premise PKI vs. Managed PKI – What are the advantages of an MPKI over an On-Premise PKI?

A private Managed PKI can be implemented with significantly less effort and preparation time compared to an on-premise solution. Trusted authentication, verification, integrity, and encryption for critical and sensitive enterprise processes and applications are readily available. Companies can quickly focus on securing their business processes and make use of the established PKI more swiftly. With a Managed PKI, users are relieved of the effort required for secure configuration, backup concepts, and fault tolerance. Access controls and permissions are regulated, the necessary infrastructure is in place, and it scales with growing demands. Moreover, there is no need to build extensive PKI and IT security expertise or hire specialized personnel. The service provider takes care of regular software and security updates, as well as adjustments to constantly evolving crypto requirements. Handling hardware security modules and the required specialized knowledge is also managed by the service provider.

The overall costs for an on-premise PKI are usually much higher due to personnel, infrastructure, and operational costs, compared to the relatively lower costs for software licenses. Even open-source PKI solutions do not significantly reduce total costs. Whether on-premise or managed PKI – both have their justification for existence. For specific requirements and depending on the scenario, companies or operators of critical infrastructures and authorities have no choice but to opt for an on-premise PKI. However, especially in medium-sized enterprises where standard applications are implemented and secured, Managed PKI offerings provide the opportunity to significantly lower entry barriers and greatly improve security in the company, all at significantly lower costs.

On-Premise Offering – Can I also use the on-premise offering?

Upon request, MTG AG would be happy to provide you with an offer for this and take into account your individual requirements if necessary. The installation will then take place, following joint planning and preparation, in the data center of your choice. We recommend checking in advance whether managed cloud operation may be possible under certain conditions.

Migration & Integration

Migration – Can I migrate my MS-PKI?

Currently, you can replace the Microsoft PKI with the 360° Managed PKI & CLM. However, you can also continue operating your Microsoft PKI and simply integrate the CLM. This allows you to use an existing Microsoft CA for additional non-Windows use cases, such as issuing Linux server certificates via ACME.
For customers using a Microsoft PKI, there are two options:

Professional Package: Continue operating the Microsoft PKI, but manage all certificate-based processes through the CLM.
Ultimate Package: If the CLM Autoenrollment Connector is used with the Ultimate Package, the Microsoft PKI can be fully replaced by the MTG PKI without needing to change Active Directory-based processes.

Using only the CLM – Can I keep my MS-PKI (ADCS) and just use the CLM?

Yes, you can. The integration is not a problem.

Integration of Private CAs – Can I integrate other PKIs?

In principle, external private CAs can also be connected to the CLM. However, currently, this is only possible with the Microsoft CA.

Integration with public CAs – Can I integrate public CAs?

Public certificates are required for secure communication with external entities. In principle, all existing public certificates can be imported into the CLM. If you want to simplify the request, import, and operation with the CLM, it is recommended to technically integrate it with the CLM. Currently, this is possible with the Public CA from GlobalSign. There are plans to offer a central access point for all major public CA providers in cooperation with PSW Group. Upon request, we can inform you about which other public CA providers will be connected in the future.

Integration with the customer environment – How is the integration with the customer environment done?

The integration with the customer environment is facilitated through secure access mechanisms, which are clarified with the customer during a kick-off meeting. When using specific automation interfaces such as ACME or the Autoenrollment Connector, a Site-to-Site VPN between the customer environment and the customer-specific MPKI instance is required. The GUI, components, and automation interfaces are accessible via HTTP, with connections being secured using TLS. Restriction of access to the URLs is possible and coordinated during the kick-off meeting.

Interfaces & Automation

ACME – What is ACME?

Automatic Certificate Management Environment (ACME) is a protocol for automatically verifying ownership of an internet domain and issuing certificates for web servers.MTG Docs: ACME

SCEP – What is SCEP?

Simple Certificate Enrollment Protocol (SCEP) is a protocol for provisioning digital certificates, primarily designed for network devices.
MTG Docs: SCEP

EST – What is EST?

Enrollment over Secure Transport (EST) is a certificate management protocol.
MTG Docs: EST

CMP – What is CMP?

Certificate Management Protocol (CMP) is a protocol used for managing X.509 certificates.
MTG Docs: CMP

REST – What is REST?

REST API of the Certificate Lifecycle Managers.
MTG Docs: REST API

CLI – What is CLI?

The CLI client enables more flexibility and configurability in the automatic issuance of certificates.
MTG Docs: ERS CLI

Certifications

ISO27001 – Does the DARZ data center have the corresponding certification?

The entire modular service portfolio of DARZ has been ISO 27001 certified since 2015. The special feature of this certification lies in the assessment of the entire company. In addition to the data center area, cloud services, managed services, and project management, up to the company’s own employees and suppliers, i.e., the entire business areas, have been awarded. DARZ leaves no area open for exceptions. Clearly defined, efficient, and yet flexible processes have been documented in procedural instructions and are thus valid throughout the company and documented comprehensively. As a result, DARZ also meets all GxP guidelines.

DARZ Certificate: ISO/IEC 27001:2013

ISO 27001 – Does the software manufacturer MTG have an ISO 27001 certification?

MTG develops and distributes innovative IT security software solutions with a high emphasis on confidentiality, integrity, and availability. Fulfilling these objectives of information security is our inherent quality standard. Since March 2017, the entire company has been certified according to ISO/IEC 27001.

MTG Certificate: ISO/IEC 27001

BSI C5 – Does the DARZ data center meet the requirements of the BSI Cloud Computing Compliance Criteria Catalogue?

BSI C5 is a criteria catalog published by the Federal Office for Information Security outlining minimum requirements for secure cloud computing. DARZ has been meeting these requirements since 2024.

BSI TR-03145 – Does the DARZ data center have the corresponding certification?

The certification according to the Technical Guideline TR-03145 is the legal basis for the operation of Smart Metering solutions (SM-PKI), TSE Cloud solutions (TSE-PKI), and Corporate PKI. DARZ has held this certificate since 2018.

DARZ Certificate: BSI-K-TR-0635-2024

Reliable Data Center Cat lll & DIN EN50600 Cat lll – Does the DARZ data center have the corresponding certification?

The DARZ data center located in Darmstadt has been certified as “Reliable Data Center Cat lll” by TÜV Rheinland Cert GmbH since 2016. In 2021, we replaced this certification with the higher certification according to DIN EN50600 Cat lll. DIN EN 50600 represents the first pan-European standard that provides comprehensive requirements for the planning, construction, and operation of a data center with a holistic approach. It defines requirements for the planning of the construction disciplines, electrical supply, air conditioning, cabling, security systems, and establishes criteria for the operation of data centers.
DARZ Certificate: DIN EN 50600

Veeam ProPartner – Does the DARZ data center have the corresponding certification?

DARZ GmbH has been a partner of Veeam for many years and once again received the official ProPartner certification in 2023, valid until December 31, 2023.

DARZ Certificate: Veeam-Partner

Green electricity – Does the DARZ data center use eco-friendly electricity?

The DARZ GmbH has been sourcing green electricity for several years and aims to contribute to Germany’s sustainability and climate change efforts.
DARZ Certificate: Green electricity

HSM Certification – What security certifications do the deployed HSMs have?

The customer-specific signing keys of the MTG CA are secured using a nShield Hardware Security Module (HSM) from Entrust. There is one HSM each at the Darmstadt and Frankfurt locations, clustered via a Remote File System (RFS) server. Entrust nShield Connect HSMs are certified according to FIPS 140-2 Level 3 and Common Criteria EAL4+ (EN 419 221-5).

FAQ