Answers to your questions about the 360° Managed PKI & CLM solution

Frequently Asked Questions (FAQ)

Product Features

Keycloak offers flexible authentication by providing centralized sign-in and sign-out functionality across all MTG ERS® applications (CLM, PKI, KMS):

Supports OpenID Connect and SAML
Google reCAPTCHA support to prevent bot logins
Multi-factor authentication via OTP for added security (TOTP, HOTP)
Strong authentication using X.509 certificates
Configurable password policies (length, character sets, complexity, etc.)
Customizable authentication workflows for fine-tuned control of each login process
LDAP, Active Directory, and other Kerberos integrations available
Supports the latest W3C web authentication (WebAuthn) standard

Import Certificates – Can I import any certificate into the CLM?

Yes, you can always manually import your company’s certificates into the centralized certificate management system. Importing public certificates is especially easy: just click, and a scan begins. If automation is possible, the import process is even more seamless. Learn more in our Technical Documentation: MTG Docs: Find All Your Certificates

Create a Certificate – How do I issue a certificate?

Issuing a certificate in the CLM is very straightforward. Learn more in our Technical Documentation: MTG Docs: Your First Certificate in 4 Steps

Reporting & Monitoring – What can I track?

You can track certificate status continuously and avoid surprises. MTG CLM provides a comprehensive notification system that alerts you before certificate expiration. This ensures timely renewals.
Additional features include:

User-friendly dashboards for certificate status by business area
Advanced filtering/search and CSV export for ease of analysis
Centralized logs for tracking admin actions in the system

Roles & Permissions – What can I configure?

You can centrally manage roles and permissions, fully customizing settings for users, business units, and policies. MTG CLM allows:

Realms based on departments, groups, or hierarchy
Role-specific permissions (read, configure, etc.)
Tailored notification rules
Adaptive user interface based on permissions

Learn more in our Technical Documentation: MTG Docs: Control Roles Before They Do

Policies – How do certificate templates prevent misconfiguration?

Policies contain a comprehensive set of rules required for configuring different types of certificates. This ensures that entries are complete, error-free, and compliant. Individual templates for email, servers, networked hardware, or mobile devices can be created this way. The MPKI comes with a selection of preconfigured policies that cover nearly all common use cases, requiring no further action on the customer’s side.

Restricting selection to approved algorithms
Limiting use to approved key material
Setting certificate validity periods
Choosing between manual or automatic approval of certificate requests
Enforcing the four-eyes principle

Depending on the intended use of a certificate, specific requirements are implemented through policies tailored to that scenario. Each Managed PKI instance is delivered with a set of predefined policies for standard scenarios, which can be customized and applied. Additional policies can be created by cloning and adapting existing ones, or by defining entirely new policies from scratch. If specific templates are required, or existing ones need adjustment, this can be arranged as part of our consulting services. Our PKI experts will support you in designing and setting up these templates. Learn more about Policies in our Technical Documentation: MTG Docs: Foolproof Policy Templates

Policies – Do you provide Built-in Templates?

Each Managed PKI instance comes with a set of predefined policies for standard scenarios, which can be customized and applied. By default, the following policy templates are included:

SSL/TLS Server, ACME – Standard TLS certificates for web servers
Machine, SCEP, EST, CMP – Certificates for network devices (e.g., switches, routers, printers, etc.)
Person, S/MIME Email – Secure email (S/MIME), VPN access protection, secure logon
Person Active Directory – AD certificates issued to users, e.g., as part of the autoenrollment process
Code Signing – Certificates for signing software/code

If you provided specific details about automation protocols in the onboarding form, additional matching templates will be activated automatically. In addition, new policies can be created based on existing ones—for example, by cloning a current policy and adjusting individual values. It is also possible to define entirely new policies from scratch. Learn more about Policies in our Technical Documentation: MTG Docs: Foolproof Policy Templates

Public Certificates – Can I use public certificates or purchase via CLM?

Yes. For secure external communication, it is recommended to use public certificates. The MTG CLM currently integrates with PSW Group and GlobalSign public CAs, with plans to support more providers. Custom integrations can be arranged on request.

Realms – Can I organize my PKI by business unit?

Absolutely. The MTG CLM allows you to define realms by department, enabling decentralized self-services without constant central admin involvement.

Approval Workflows – Can I control who approves certificate issuance?

Yes. You can configure manual or automatic approvals and enforce the four-eyes principle for greater control.

HSM – Is a Hardware Security Module required for PKI?

Yes. For secure key protection, HSMs are essential. They generate and safeguard cryptographic keys, meeting data protection standards like GDPR, ISO 27001, and NIS2. In critical infrastructure, HSMs are standard.
MTG uses Entrust nShield Connect HSMs (FIPS 140-2 Level 3, Common Criteria EAL4+), clustered across Darmstadt and Frankfurt.

Identity & Access Management (IAM) – How does PKI enhance security?

Digital certificates provide an additional layer of authentication and security that goes beyond simply knowing a password. They also require possession of a secret value associated with the certificate.

Digital certificates can be used for authenticating and authorizing users and devices across various corporate networks. Typical examples include Windows users, computers, laptops, firewalls, routers, switches, and IoT devices.

Certificate-based authentication methods are most commonly implemented in Microsoft environments. Microsoft Active Directory (AD) provides a central platform for managing user identities, access rights, and policies. For example, AD can be combined with an authentication server (such as RADIUS – Remote Authentication Dial-In User Service) to enable certificate-based authentication and authorization of users in local networks, such as a corporate Wi-Fi.

Network Security – How can PKI protect my network?

PKI authenticates communication in VPNs securely, essential for remote access and site-to-site connections. Certificates simplify scalability and management as your user/device count grows.

NAC – What is Network Access Control?

NAC uses certificates to control device access to a corporate network. Devices must present a valid certificate to network entry points (like WiFi or switches), which authenticate via RADIUS before granting access.

Secure Email – How do certificates protect email communication?

S/MIME certificates enable digital signing (verifies sender and integrity) and encryption (protects content). You can manage public S/MIME certs within MTG CLM. For high-volume email usage, it’s recommended to use your email security gateway for bulk distribution and let CLM handle other certificate workflows.

SSL/TLS – Can CLM handle web server certificates?

Yes. CLM can help you issue and manage SSL/TLS certificates from public CAs, reducing administrative overhead.

Mobile Device Security – How do I secure mobile devices (MDM)?

Using MDM platforms, certificates secure communication for mobile devices. PKI with CLM simplifies managing certificates across mobile fleets for secure resource access.

Digital Signatures – Can I sign documents?

Yes. PKI issues document-signing certificates to verify authenticity and integrity. This is essential for trusted e-signatures like PDFs and legal documents.

Code Signing – How does it work?

Certificates verify software publisher identity and ensure code integrity. Any modification invalidates the signature, protecting users from tampered software.

Future Use Cases – Is the platform future-proof?

Yes. 360 GSA’s platform supports a wide range of current and future use cases through integration, automation, and advisory services. The platform is continuously updated for new features and industry needs.

Certificate Discovery – How do I find hidden certificates in my network?

Discovery allows automated scanning of networked devices, LDAP/AD, and CT logs to identify certificates and safely import them into CLM. Benefits include:

Automated scanning
Visual inventory of certificates and devices
Detection of unknown certs
Risk analysis via crypto usage reports

Learn more in our Technical Documentation: MTG Docs: Find All Your Certificates

Revocation – Why do I need OCSP and CRL responders?

CLM supports full certificate revocation standards:

OCSP Responder (RFC 6960)
OCSP Stapling (RFC 6961)
LDAP & HTTP CRL distribution support

Root CA – Do I need my own?

Yes. Your Root CA is the trust anchor. Sensitive key material must be protected—hence, every client gets its own Root CA in a secure environment.

Multiple Root CAs – When are they useful?

If different algorithms (e.g., elliptic curve vs. RSA) are needed for various uses, multiple Root CAs can provide the required flexibility.

Offline Root CA – When do I need one?

An offline Root CA is only needed for extremely high security or regulatory scenarios where the Root CA is kept in a restricted environment and only activated as needed (e.g., during Sub-CA setup).

Sub-CA – Can I have one?

Yes. You get both a Root CA and a Sub-CA to support a full trust hierarchy.

Multiple Sub-CAs – When useful?

Multiple Sub-CAs help segment issuance by business unit or use case for clearer organization.

Audit Logging – Can I track all activity?

Yes. CLM includes detailed audit logs, essential for compliance and breach investigations.

Documentation – Is there online / technical documentation?

Yes. You receive access to comprehensive online documentation as part of the demo activation.

See our Technical Documentation: MTG Online Documentation

Automation – What can I automate with the 360° Managed PKI & CLM?

The MTG CLM supports automation across all connected CAs: MTG, Microsoft, GlobalSign, and Telekom.

Key automation includes:

ACME for Linux servers
SCEP, EST, CMP for network hardware
REST & CLI for all other systems
SCEP for mobile devices

Autoenrollment – Can my PKI or Public CA connect to MS Active Directory?

Yes. With the CLM Autoenrollment Connector, you can integrate your Public CA or MTG PKI with Microsoft AD CS.
Benefits include:

Retaining existing automated Windows workflows
Extending PKI beyond Windows environments
Adding Public CA integration when needed

MTG offers a Java-based simulator to test AD integration prior to deployment.

Plans & Billing

FREE Plan – Who is it for?

Ideal starter option. Full-featured PKI & CLM at no cost, no setup, limited to 50 certificates. Perfect for gaining real-world experience. Import and manage your own certificates for free.

Pricing & Features

BUSINESS Plan – Who is it for?

For growing companies. Manage up to 10,000 active certificates in 500‐certificate tiers. Includes expanded features and support—great for full enterprise use.

Pricing & Features

ENTERPRISE Plan – Who is it for?

Tailored solutions for complex environments. Unlimited certificate management with custom pricing—ideal for large enterprises with advanced needs.

Pricing & Features

Upgrade from FREE to BUSINESS – Is it seamless?

Ein Upgrade von FREE auf BUSINESS. An upgrade from FREE to BUSINESS can be carried out at any time without issues. Certificates issued and active in the FREE plan remain fully usable.

Upgrade from FREE to ENTERPRISE – Is it seamless?

Yes. An upgrade from FREE to ENTERPRISE can also be carried out at any time without issues. Certificates issued and active in the FREE plan remain usable.

Rare exception: If you choose the optional dedicated HSM (additional cost) during the upgrade to ENTERPRISE, the certificates issued under FREE must be reissued.

Upgrade from BUSINESS to ENTERPRISE – Is it seamless?

Yes. An upgrade from BUSINESS to ENTERPRISE can be carried out at any time—for example, if you need more than 10,000 active certificates or require one or more of the exclusive ENTERPRISE features.

Rare exception: If a dedicated HSM is requested later (after initial setup), the transition is more complex. Since keys from the shared HSM cannot be exported, all certificates would need to be reissued by the customer in this case.

How are the plans billed?

For the BUSINESS and ENTERPRISE plans, there is a monthly fee based on the number of active certificates in use.

Active certificates are defined as all certificates in a PKI that are:

currently valid,
not revoked, and
actively used by systems, applications, or users.

Inactive certificates are those that are:

expired,
revoked, or
issued in advance but not yet in use.

The number of active certificates is a key metric for PKI operations, as it reflects the certificates actually in use.
Active certificates are tracked and billed monthly. The minimum validity period for certificates is one month.

Optional features available within each plan can be added on request. These are billed as a fixed monthly fee, independent of usage.

Project & Upgrade Timing

Project Process – What does a typical project process look like?

For onboarding, the customer fills out an onboarding form when ordering a plan. This form defines how the system will be integrated into the existing infrastructure. Preparation and implementation of the individual use cases, as well as their concrete configuration, are carried out by the customer. If needed, our consulting services and fixed-price packages can be booked. Explore Service Packages

Preparation – How should I best prepare for a PKI project?

We recommend every customer include an analysis and design phase before implementing the use cases. The FREE Plan is ideal here, since it allows you to explore all options and features.

Analysis
First, organizational and technical framework conditions should be captured. The goal is to understand and outline company structure, relevant systems, and existing security and compliance requirements. The result is a complete understanding of the starting point, on which all further steps are based.

Design
Based on the analysis, the customer creates a design/concept that can be implemented using the configuration options of the CLM user interface. Here, responsibilities, roles, and processes are defined, and the technical architecture is designed.

If needed, our consulting services and fixed-price packages can be booked.

Explore Service Packages

Onboarding & Configuration – How do I access my personal instance?

Provisioning / Certificate Creation with CLM and MTG CARA
In this phase, the solution is provisioned and integrated into the customer environment. Options include:

Public IP (direct access via a public IP address)
VPN (secure access via a VPN tunnel)
IP Whitelisting (access only from pre-approved source IP addresses)

Implementing Use Cases with Certificate Distribution and Usage
Next, the provided system is used for the defined use cases. Certificate distribution and usage must be organized and implemented accordingly. Ideally, this has already been planned during the analysis and design phase.

If needed, our consulting services and fixed-price packages can be booked.

Explore Service Packages

Timing – How quickly is my FREE Plan available?

After successful registration and approval, the FREE Plan is usually available within 24 hours on business days (Mon–Fri, 9 a.m.–5 p.m. CET).

Timing – How quickly is the upgrade from FREE to BUSINESS completed?

An upgrade from FREE to BUSINESS (or ENTERPRISE) is usually completed quickly after quotation and order confirmation.
The duration depends on the desired secure connection:

IP-based access: approx. 1–3 business days
VPN: approx. 5–10 business days (depending on the customer providing the required information)

Timing – How quickly is the upgrade from FREE to ENTERPRISE completed?

An upgrade from FREE to ENTERPRISE is usually completed quickly after quotation and order confirmation, provided no dedicated infrastructure, offline Root CA, or dedicated HSM is required.

The duration typically depends on the desired secure connection:

IP-based access: approx. 1–3 business days
VPN: approx. 5–10 business days (depending on the customer providing the required information)

If dedicated infrastructure, an offline Root CA, or a dedicated HSM is required, delivery times must be estimated individually. The bottleneck is usually the lead time and setup of HSMs.

In rare cases where a dedicated HSM is added during an upgrade, additional manual effort from the customer is required. Since keys from the shared HSM cannot be exported, all certificates would need to be reissued by the customer.

Timing – How quickly is the upgrade from BUSINESS to ENTERPRISE completed?

An upgrade from BUSINESS to ENTERPRISE is typically completed within 1–3 business days after quotation and order confirmation.

If dedicated infrastructure, an offline Root CA, or a dedicated HSM is required, delivery times must be estimated individually. The bottleneck is usually the lead time and setup of HSMs.

Timing – How quickly can individual use cases be implemented?

The technical implementation of specific use cases depends on the customer’s prior experience. With MTG’s Starter Packages, however, time and cost can be reliably calculated and implemented predictably.

Explore Service Packages

Common Concerns

Why is the FREE Plan free?

Because we want to make it as easy as possible for you to get started.

Many companies are still at the very beginning of using certificates—but their needs are growing. With our FREE Plan, you can use the full-featured solution right away in live operation—without setup effort, without hidden costs, and with the full range of features, limited only to 50 certificates.

This way, you gain valuable experience, build internal know-how, and can scale flexibly later on. Our goal: make the technology tangible, lower barriers, and build trust.

And if you need more? You already know us, you know how we work—and you can build directly on that instead of starting from scratch. We want to be there for you when your requirements grow.

What’s the catch with the FREE Plan?

There is no catch – but there are clear boundaries. Our FREE Plan is a cost-free entry into a full-fledged Managed PKI & CLM platform, operated in Germany in a secure environment. We deliberately provide this upfront, because we want you to truly test our solution, automate your first certificates, and build trust.

Of course, not everything is included compared to the paid plans:

Limited to 50 active certificates
No dedicated support or access to our ticketing system
No redundancy, high availability, or scalability
No VPN access – usage is only via public interfaces
No guarantees on availability or operation

But: you’re already using the same technical platform as in the paid plans – without setup, directly in live operation. An upgrade is possible at any time without disruption. We want you to get to know us – not through contracts, but through real experience. And when your needs grow, we’ll be there with matching packages. Fair. Transparent. Made & Managed in Germany.

I don’t have PKI know-how – do I need someone to get started?

No – that’s exactly what our solution was designed for.

The 360° Managed PKI & CLM platform is tailored specifically for medium-sized businesses: easy to use, securely preconfigured, and built so that no deep PKI expertise is needed to get started. The complexity stays under the hood – right where it belongs.

If you’d like support, our Quickstart Packages and Premium Support bring the expertise directly to you – with real PKI experts who guide you step by step, advise you as equals, and remain available during operations.

That way, you succeed – even without prior knowledge.

I don’t have resources to manage a project – what can I do?

No problem, that’s exactly what we’re here for.

Our solution is designed as a Managed Service, meaning we handle operations, maintenance, and updates for you. With our Quickstart Packages, we get you to your goal without detours – including technical setup, integration, and implementation of your first use cases.

You don’t have to fight through a PKI project on your own:
We deliver a ready-to-use, productive system – and if you wish, we’ll stay by your side during operations, too.

This way, you can focus on your core business while your certificate processes run securely and automatically in the background.

I don’t have a PKI budget – it hasn’t cost me anything so far. Why switch?

That’s exactly why we offer the FREE Plan: you start at no cost – with the full PKI & CLM platform, operated in Germany. Perfect for getting started, limited to 50 certificates, but without setup costs or contractual obligations.

Made & Managed in Germany means: your data stays in Germany, the platform is audit-proof and GDPR-compliant – even in the FREE Plan.
Your private keys are securely stored in certified Hardware Security Modules (HSMs) starting from the FREE Plan – an essential step toward true data sovereignty.

When your needs grow, you’re prepared – with a platform you already know. And with an upgrade that works seamlessly.

I only need a few certificates – is it worth it?

Yes – that’s exactly what the FREE Plan is for.

Many companies start with only a few certificates – the demand often grows over time. With the FREE Plan, you jump right in: you use the full Managed PKI & CLM platform, operated in Germany – free of charge, without setup, limited to 50 certificates.

You can automate your first processes, gain valuable experience, and be well prepared when your requirements increase. Upgrades are possible at any time – without changing systems and without data loss.

You can even import existing certificates into CLM – they don’t count toward the 50 certificates included in the FREE Plan.

Will I face additional costs?

Yes, but for good reason.

Our FREE Plan is deliberately designed so you can get started without hurdles: a full platform, no setup effort, operated in Germany, free up to 50 certificates. This already covers initial requirements and lets you gain valuable experience.

When your PKI grows, or legal requirements (e.g., for key management, Hardware Security Modules) apply, we offer fair, transparent pricing for additional features and services – including certified environments in Germany, personal support, and real data sovereignty.

In short: we want to make it easy for you to get started – and reliably support you exactly when it matters most.

I have special requirements that aren’t covered by the standard solution. What can I do?

That’s exactly what the ENTERPRISE Plan is for. If you have complex requirements – such as multiple PKIs, custom operating models, specialized algorithms, or especially high security standards – the ENTERPRISE Plan gives you full flexibility: with exclusive infrastructure, dedicated HSMs, unlimited certificates, tailored integration, and optional 24/7 support.

Everything remains Made & Managed in Germany – and fully aligned with your environment.

Microsoft PKI (AD CS)

AD CS – Isn’t my free Microsoft PKI (AD CS) sufficient?

If you want to use a modern PKI, you should definitely consider alternatives to Microsoft PKI (AD CS). Our experience shows two main motivations lead companies to move from a free Microsoft PKI to a more modern solution:

Better Certificate Lifecycle Management: Modern PKI solutions provide more comprehensive, automated tools for managing the certificate lifecycle. This includes issuing, renewing, revoking, and monitoring certificates, which significantly reduces administrative effort and increases security.
More use cases with less effort: A modern PKI can support a wider range of use cases—often with considerably less effort. These include extended integrations, support for mobile devices, IoT security, and cloud environments. This enables your company to respond flexibly to new requirements and technological developments.

You can find more details and well-founded answers in the linked article, which also informed the creation of these FAQs. It’s important to carefully assess your specific needs and your company’s future requirements in order to choose the best PKI solution.

“Limitations of Microsoft Active Directory Certificate Services” — Uwe Gradenegger

Certificate Lifecycle Manager – Can I connect my Microsoft PKI (AD CS) to CLM?

Yes, it is straightforward to connect Microsoft CA (AD CS) to CLM. This allows you to use your existing Microsoft CA for additional, non-Windows-specific use cases—such as issuing Linux server certificates via ACME.

For customers already running Microsoft PKI (AD CS), there are two options:

Professional Package: Your Microsoft PKI continues to operate, while CLM also manages certificate-based processes. This enables centralized management and automation of certificates, increasing both efficiency and security.
Ultimate Package: With the CLM Autoenrollment Connector included in the Ultimate Package, Microsoft PKI (AD CS) can be fully replaced by MTG PKI—without changing Active Directory–based processes. This provides seamless integration while giving you access to the extended features and higher flexibility of a modern PKI.

These options allow you to benefit from a modern PKI while continuing to use your existing infrastructure—or gradually phasing it out.

Microsoft AD CS Migration Chart

Migration – Can I replace my Microsoft PKI with the 360° Managed PKI & CLM without disruption?Y

Yes. With the CLM Autoenrollment Connector, you establish a connection between your public CA or the MTG PKI and Microsoft Active Directory. This allows you to replace your Microsoft PKI (AD CS).

Start using the future-proof MTG PKI right away for a broader range of application scenarios inside and outside the Windows world.
Continue using all your established, automated Windows processes for issuing, renewing, and deploying certificates within Microsoft Active Directory.
Additionally, integrate a public CA to use publicly trusted certificates within your automated Windows processes.

The introduction of the Autoenrollment component depends heavily on the customer’s specific use cases. Therefore, several preparatory steps are required on the customer side before use. If needed, 360° GSA provides support for integrating Microsoft PKI (AD CS) with MTG PKI.

For easier integration, a test simulator can be provided on request. It is installed locally and allows you to test all options. The simulator is a Java application that simulates a simple PKI—significantly helping to independently test Microsoft integration with the Autoenrollment Connector.

Microsoft AD CS Migration Chart

Certificate Lifecycle Management – Does Microsoft AD CS include CLM?

Microsoft CA (AD CS) can manage certain certificates, but its overall capabilities are limited. Companies that require comprehensive Certificate Lifecycle Management (CLM) should consider appropriate extensions—such as our solution.

A modern CLM offers numerous advantages, including:

Web-based user self-services: Allow users to manage certificates independently, significantly reducing administrative workload.
Flexible certificate policies: Enable precise customization of certificate policies to match your company’s specific requirements.
Detailed configuration options: Allow exact definition of roles and permissions to meet security and compliance demands.

With a modern CLM, you not only manage the lifecycle of your certificates more efficiently, but also significantly improve the security and flexibility of your IT infrastructure.

Use Cases with AD CS – Can I cover all use cases with Microsoft PKI?

We cannot give a blanket “yes.” To our knowledge, Active Directory Certificate Services (AD CS) currently do not support the following interfaces:

Enrollment over Secure Transport (EST)
Automatic Certificate Management Environment (ACME) (third-party solutions exist)
Certificate Management Protocol (CMP)
REST- or SOAP-based interfaces for certificate requests are also not available

There are specialized vendors that close these gaps with licensable add-ons. However, our 360° Managed PKI & CLM covers all of the above at no additional cost.

That means with our solution, you receive comprehensive support for a wide range of use cases—without worrying about extra costs or compatibility issues. This ensures your PKI meets all current and future requirements.

Maintenance & Updates – How current is Microsoft PKI?

Active Directory Certificate Services (AD CS) have essentially existed (under different names) since Windows NT 4.0. The AD-based architecture in use today was introduced with Windows 2000 Server.

AD CS is deeply integrated into the Windows ecosystem and continues to enjoy widespread use in organizations and government agencies of all sizes. This long-standing integration and broad adoption speak for the reliability and stability of Microsoft PKI.

However, it also means that the underlying technology and some implemented protocols do not reflect the latest innovations or security standards. To meet modern security requirements and benefit from advancements in cryptography and PKI technology, it often makes sense to complement or replace AD CS with a modern PKI solution.

A modern PKI not only offers higher security and better automation, but also broader support for hybrid and cloud-based use cases.

Windows Server & CA – Can I run multiple CAs on one server with AD CS?

No. With Active Directory Certificate Services (AD CS), each logical certification authority requires its own complete Windows Server instance. Depending on company size, it may make sense to separate CAs by use case.

In practice, this often results in multiple Active Directory environments and CA hierarchies—leading to a higher number of CA servers, all of which must be managed, hardened, patched, and financed.

From a PKI technology perspective, it is entirely possible to run multiple CAs on one server to save costs. Modern PKI platforms make this straightforward. By switching to a modern PKI solution, you can reduce the number of required servers, simplify management, and lower operational costs.

High Availability – Does AD CS support true HA?

The CA database in AD CS is implemented per server in a monolithic fashion. It cannot be consolidated across multiple CAs and must run directly on the issuing server.

The CA database does not support replication for real clustering. In current implementations, only one cluster node at a time can access database files, which makes true high availability very difficult.

Modern PKI solutions, by contrast, support database replication and real clustering. This ensures your PKI remains available even if individual components fail.

By using a modern PKI, you can significantly improve uptime and resiliency of your CA services.

Certificate Templates – Does AD integrate with templates?

Yes, certificate templates are stored in Active Directory. However, there are limitations:

Automatic creation & editing: There is no official way to automatically create or edit templates. All changes must be done manually, which is time-consuming and error-prone.
Global configuration: Template settings apply globally to all certificates issued by a given CA. If differentiated handling is required, you must set up an additional CA.
Extra resources: Setting up extra CAs requires additional Windows Servers, meaning more cost and administration.

Modern PKI solutions, on the other hand, offer far more flexibility and automation. They allow fine-grained management of certificate policies and templates, support automated creation and management, reduce admin overhead, and minimize risk of error.

Availability – What happens if I change a CA configuration?

In AD CS, configuration changes require restarting the service. This interrupts availability until the restart completes.

That can be critical if the CA is heavily used or if changes must be made during business hours.

Modern PKI platforms solve this with:

No restarts required – changes can be applied without downtime.
Redundant configs – test changes on a secondary instance before going live.
Automated rollbacks – revert instantly if an error occurs.

This ensures maximum availability while maintaining flexibility in configuration.

Certificate Policies – Can AD CS create policy modules?

Yes, but the standard Windows policy module cannot define rules for manual certificate requests. This often leads to issues such as missing attributes, syntax errors, duplicate CNs, or faulty issuances—sometimes with security impact.

PKI Migration – Can I keep my AD settings when switching PKI?

Yes, with the CLM Autoenrollment Connector, you can link our 360° Managed PKI & CLM to Active Directory and replace Microsoft PKI with minimal effort.

Keep existing automated Windows certificate processes for issuance, renewal, and distribution.
Leverage MTG PKI for modern, broader use cases beyond Windows.
Integrate a public CA for automated issuance of public certs in your Windows workflows.

We also provide a local test simulator on request, so you can trial all options before full integration.

AD CS Interfaces – Does AD CS support modern PKI standards?

The main enrollment interface for AD CS is RPC/DCOM (MS-WCCE), which is proprietary and not optimized for cloud or hybrid environments. It’s limited to AD-based authentication.

SCEP is available, but often requires significant workarounds.

Currently unsupported by AD CS:

EST
ACME (except via third-party tools)
CMP
REST/SOAP APIs

Specialized vendors offer paid add-ons to fill these gaps. In contrast, our 360° PKI & CLM supports all of them natively—without extra cost.

NDES – What should I watch out for?

The Network Device Enrollment Service (NDES) has several limitations:

No policy definition per certificate type.
Each CA/template/password combo requires a separate paid Windows Server instance.
No high availability (no replication of one-time passwords).
Legacy CSP interfaces (not suited for modern crypto).
No support for elliptic curves.

For a future-proof PKI, consider modern alternatives that provide scalability, HA, and support for modern crypto standards.

OCSP – Can I run an Online Responder safely?

Since CA servers are AD members, they can be compromised via group policies, admin accounts, or service accounts. OCSP and CRL servers share this risk if they’re in the same AD forest.

Modern PKIs mitigate this by:

Isolating OCSP/CRL servers.
Enforcing MFA and RBAC.
Regular audits and monitoring.

This makes OCSP responses much more secure and reliable.

AD Access – How can I secure AD if I use MPKI?

Protecting AD is critical. Best practices include:

Use VPN for secure remote access.
Require MFA for all AD users.
Enforce NAC (device- and role-based access control).
Apply network segmentation/microsegmentation.
Follow the least privilege principle.
Use logging and SIEM for monitoring.
Harden AD servers with security baselines and updates.

Together, these measures greatly improve AD and PKI security.

Can I keep AD CS and just use CLM?

Yes—this is possible without issues.

Can I connect Key Storage Provider to a network HSM?

Not reliably. The KSP interface is not designed for network appliances. If the connection to a network HSM drops, the CA service loses access to its private key.

This leads to:

Failed certificate requests (until service restart).
Inability to publish CRLs.

Microsoft Cloud PKI for Microsoft Intune

What is Microsoft Cloud PKI for Microsoft Intune?

As of today, Microsoft Cloud PKI is a solution designed to serve a single use case: the assignment, renewal, and distribution of certificates to devices managed via Intune. These devices must support SCEP and PKCS#7, which are used to deliver the certificates.
This means the range of device types that can be managed with Intune is limited (e.g., no servers or network devices). It is currently unknown whether Microsoft plans to expand functionality in the future.

Where does this service run, and are there limitations?

The entire service—including all components and functions—runs in the cloud. There are no on-premises components required.

This makes it a suitable option for cloud-native customers who do not maintain their own IT infrastructure and only expect limited certificate capabilities.
For example:

No SSL/TLS or S/MIME certificates can be issued.
Certificates cannot be issued for non-Intune-managed systems.
Certificates cannot be exported for use in other environments.

Are there configuration limitations?

Yes. Currently, only two PKI levels can be created—for example, one Root CA and one Issuing CA layer.

It is possible to host your Root CA on-premises (Bring Your Own CA – BYOCA) and let Microsoft host the Issuing CA.
Other current restrictions:

A maximum of six CAs can be created.
The customer cannot delete existing CAs; a Microsoft support ticket must be opened for that.
Only one policy can be defined for all certificates.

If changes are made (e.g., to encryption algorithms, hash algorithms, or key lengths), all certificates are reissued and rolled out again.

What key lengths are supported?

Currently, the CA supports RSA keys of length 2048, 3072, or 4096 bits.
Hash algorithms available: SHA-256, SHA-384, and SHA-512.
Elliptic Curve Cryptography (ECC) is not available.

Does Microsoft Cloud PKI include Certificate Lifecycle Management (CLM)?

Yes, but limited to the single use case: assigning, renewing, and distributing certificates to Intune-managed devices.

Since Microsoft Cloud PKI only works with Intune-managed devices that support the SCEP profile, a basic form of CLM is inherent:

Certificates are automatically created, distributed, and renewed.
No user interaction is required.
Expired or forgotten certificates are not an issue.

However, no additional certificates can be created or distributed outside this defined use case. Therefore, no further CLM functionality is included or needed.

Can I use my own keys or HSMs?

Currently, keys are backed by Azure HSMs.

No separate Azure subscription is required.
Third-party HSMs are not supported at this time.

Is there a migration path from AD CS to Microsoft Cloud PKI?

No. Microsoft Cloud PKI is not a successor to AD CS.
It is a limited service built only for one scenario: issuing and distributing certificates to Intune-managed devices.

Consulting & Support

Advisory Scope – Do I get support for planning, operations, and further development?

Yes – you receive comprehensive support from the very beginning and throughout the entire lifecycle of your PKI solution.

Our consulting packages cover all phases: planning, operations, and continuous improvement. With our Quickstart packages, you can get started quickly and in a structured way. For ongoing operations, our Premium Support is available – including personal assistance, configuration help, and direct access to experienced PKI experts. And when your requirements change, our Consulting Package supports you with secure adjustments to your solution – technically sound and strategically thought through.

Further Development – Can I flexibly expand my PKI?

Our solution is continuously enhanced with innovative functions. The CLM is designed to efficiently cover all central PKI processes in your organization. Even if you begin with a specific configuration and selected use cases, you always have the flexibility to introduce new processes and use cases yourself.

If desired, our PKI experts are available to assist you with the implementation of additional use cases – fully supported by our specially developed.

Explore Service Packages

PKI Planning – What questions do I no longer need to worry about with 360° MPKI & CLM?

Deploying and operating a PKI in your own data center is undoubtedly a demanding and complex task, especially when special use cases and individual adjustments are required. In many cases, operating a PKI on your own is not the best solution.

This is where our 360° Managed PKI & CLM comes in – a turnkey alternative that requires significantly less effort for planning, implementation, and ongoing operations.

With our 360° Managed PKI & CLM, you can get started faster and free yourself from managing complex topics like configuration, backup strategies, high availability, access controls, and rights management. We take care of it all as your reliable service provider.

We don’t just provide the necessary infrastructure – we also offer maximum flexibility for new requirements. Software and security updates, as well as adjustments to ever-stricter encryption policies, are naturally part of our service portfolio. This way, you don’t need to build additional PKI or IT security know-how yourself.

Your 360° Managed PKI & CLM is set up individually for your organization and covers the entire trust chain – from the Root CA to Sub-CAs down to user certificates. Maximum scalability and the protection of your keys according to the latest technical standards are guaranteed.

In addition, we offer the option to obtain public certificates via one or more connected public CAs – ideal for external verifiability of public email certificates, for example.

A key element of our offering is the CLM (Certificate Lifecycle Management), which no modern PKI solution should be without. Especially when choosing a Managed PKI provider, aspects like secure data storage and compliance with all relevant security requirements play a crucial role. Here, GDPR compliance is essential – particularly for the public sector, which is under special scrutiny.

With our 360° Managed PKI & CLM, you can rely on a trusted provider from Germany that ensures legally compliant conditions and guarantees comprehensive protection of your sensitive data.

Is on-site service available?

Yes. Thanks to our alliance partner XELANED, you can always request personal on-site support if required.

Migration & Integration

Migration – Can I migrate my MS PKI?

Yes, you can currently replace Microsoft PKI with the 360° Managed PKI & CLM. However, you can also continue running your Microsoft PKI for now while connecting only the CLM.

This enables you to use an existing Microsoft CA for additional non-Windows use cases, such as issuing Linux server certificates via ACME.

For customers already using Microsoft PKI, there are two options:

Microsoft PKI (ADCS) is connected and continues running, but all certificate-based processes are managed through the CLM.
Microsoft PKI (ADCS) is migrated to our CA: Using the Autoenrollment Connector, Microsoft PKI can be fully replaced by MTG PKI – without changing the existing Active Directory–based processes.

CLM Only – Can I keep my MS PKI (ADCS) and just use the CLM?

Yes, you can. The integration is no problem.

Connecting Private CAs – Can I connect other PKIs?

In principle, external private CAs can also be connected to the CLM. Currently, however, this is only possible with Microsoft CA.

Connecting Public CAs – Can I connect Public CAs?

Public certificates are needed for secure communication with external entities. You can generally import all existing public certificates into the CLM.

If you want to simplify requesting, importing, and managing them via the CLM, a technical connection is recommended. Currently, this is possible with the public CA from GlobalSign. Selected Sectigo certificates obtained through PSW Group can also be integrated. On request, we can inform you which additional public CA providers will be supported in the future.

Connecting Customer Environment – How does the integration into the customer environment work?

The connection to the customer environment takes place via secure access mechanisms.

When using certain automation interfaces, such as ACME or the Autoenrollment Connector, a site-to-site VPN between the customer environment and the dedicated MPKI instance is required for security reasons.
The GUI as well as the components and automation interfaces are accessible via HTTP, with all connections secured by TLS.
Restricting access to specific URLs is also possible.

Interfaces & Automation

ACME – What is ACME?

Automatic Certificate Management Environment – Protocol for the automated verification of domain ownership and issuance of certificates for web servers.

MTG Docs: ACME

SCEP – What is SCEP?

Simple Certificate Enrollment Protocol – Protocol for issuing digital certificates, mainly for network devices.

MTG Docs: SCEP

EST – What is EST?

Enrollment over Secure Transport – Certificate management protocol.

MTG Docs: EST

CMP – What is CMP?

Certificate Management Protocol – Protocol for managing X.509 certificates.

MTG Docs: CMP

REST – What is REST?

REST API of the Certificate Lifecycle Manager.

MTG Docs: REST API

CLI – What is CLI?

Provides greater flexibility and configurability for automated certificate issuance through the CLI client.

MTG Docs: ERS CLI

Certifications

ISO27001 – Does the DARZ Data Center have the corresponding certification?

The entire modular service portfolio of DARZ has been certified according to ISO 27001 since 2015. The uniqueness of this certification lies in the evaluation of the entire company. In addition to the data center area, cloud services, managed services, and project management, as well as employees and suppliers, i.e., all business areas, were also assessed. This ensures that no area is exempt from the certification. Clearly defined, efficient, and yet flexible processes have been documented in procedural instructions and are therefore valid and traceable across the entire company. As a result, DARZ also meets all GxP guidelines.

DARZ Certificate: ISO 27001:2022

ISO27001 – Does the manufacturer of the software MTG have an ISO 27001 certification?

MTG develops and markets innovative IT security software solutions with high standards for confidentiality, integrity, and availability. The achievement of these information security protection goals is our fundamental quality commitment. Since March 2017, the entire company has been ISO/IEC 27001 certified.

MTG Certificate: ISO/IEC 27001

BSI C5 – Does the DARZ Data Center meet the requirements of the BSI Cloud Computing Compliance Criteria Catalogue?

BSI C5 is a criteria catalog published by the Federal Office for Information Security (BSI) with minimum requirements for secure cloud computing. DARZ has been meeting these requirements since 2024.

Information on request to info@da-rz.de.

Is the 360° Managed PKI & CLM solution tested for BSI C5 Type 2?

DARZ GmbH has carried out its certification based on Cloud Computing C5 Type 1 (document verification) in 2024 and has now increased the level to Cloud Computing C5 Type 2 (effectiveness verification) in 2025. The MPKI solution has thus been reviewed according to the requirements of the BSI Cloud Computing Compliance Criteria Catalogue.

Information on request to info@da-rz.de.

BSI TR-03145 – Does the DARZ Data Center have the corresponding certification?

The certification according to Technical Directive TR-03145 is the legal basis for operating smart metering solutions (SM-PKI), TSE cloud solutions (TSE-PKI), and enterprise PKI. DARZ has held this certificate since 2018.

DARZ Certificate: BSI-K-TR-0635-2024

DIN EN50600 Cat III – Does the DARZ Data Center have the corresponding certification?

The DARZ Data Center at the Darmstadt location has been certified as a “Reliable Data Center Cat III” by TÜV Rheinland Cert GmbH since 2016. In 2021, we replaced this certification with the higher certification according to DIN EN50600 Cat III. DIN EN 50600 is the first cross-border standard across Europe, providing comprehensive guidelines for the planning, construction, and operation of data centers. It defines requirements for the planning of construction, electrical supply, air conditioning, cabling, security systems, and sets criteria for the operation of data centers.

DARZ Certificate: DIN EN 50600

Veeam ProPartner – Does the DARZ Data Center have the corresponding certification?

DARZ GmbH has been a partner of Veeam for many years and has again received the official ProPartner certification in 2023, which is valid until December 31, 2023.

DARZ Certificate: Veeam-Partner

Renewable Energy – Does the DARZ Data Center purchase its energy sustainably?

DARZ GmbH has been purchasing green electricity for several years and aims to contribute to sustainability and the climate transition in Germany.

DARZ Certificate: Renewable Energy

HSM Certification – What security certifications do the HSMs used have?

The customer-specific signing keys of the MTG CA are secured using an nShield Hardware Security Module from Entrust. There is one HSM each at the Darmstadt and Frankfurt locations, clustered via an RFS server (Remote File System). Entrust nShield Connect HSMs are certified according to FIPS 140-2 Level 3 and Common Criteria EAL4+ (EN 419 221-5).

ISO27001 – Does the DARZ Data Center have the corresponding certification?

DARZ Certificate: ISO 27001:2022

ISO27001 – Does the manufacturer of the software MTG have an ISO 27001 certification?

MTG Certificate: ISO/IEC 27001

BSI C5 – Does the DARZ Data Center meet the requirements of the BSI Cloud Computing Compliance Criteria Catalogue?

BSI C5 is a criteria catalog published by the Federal Office for Information Security (BSI) with minimum requirements for secure cloud computing. DARZ has been meeting these requirements since 2024.

Information on request to info@da-rz.de.

Is the 360° Managed PKI & CLM solution tested for BSI C5 Type 2?

Information on request to info@da-rz.de.

BSI TR-03145 – Does the DARZ Data Center have the corresponding certification?

DARZ Certificate: BSI-K-TR-0635-2024

DIN EN50600 Cat III – Does the DARZ Data Center have the corresponding certification?

DARZ Certificate: DIN EN 50600

Veeam ProPartner – Does the DARZ Data Center have the corresponding certification?

DARZ GmbH has been a partner of Veeam for many years and has again received the official ProPartner certification in 2023, which is valid until December 31, 2023.

DARZ Certificate: Veeam-Partner

Renewable Energy – Does the DARZ Data Center purchase its energy sustainably?

DARZ GmbH has been purchasing green electricity for several years and aims to contribute to sustainability and the climate transition in Germany.

DARZ Certificate: Renewable Energy

HSM Certification – What security certifications do the HSMs used have?

Use Cases

How do I implement different use cases with a PKI & CLM?

Digital certificates provide strong, trusted authentication because they are not based solely on a password but also require possession of a private key. In modern corporate networks, they are used to uniquely identify users and devices—such as Windows computers, mobile devices, network components, or IoT devices.

To use certificates securely and efficiently within the company, related tasks can be divided into three thematic blocks: Certificate Creation, Certificate Distribution, and Certificate Usage. These areas are not necessarily sequential but describe different responsibilities within a PKI-based infrastructure.

In the Certificate Creation area, certificates are created and managed via a Certification Authority (CA), often controlled by a Certificate Lifecycle Management (CLM) system. The CLM manages the issuance, renewal, and revocation of certificates.

Certificate Distribution refers to the secure and controlled distribution of certificates to the appropriate endpoints in the organization. In Microsoft environments, this is often implemented via Active Directory Autoenrollment, allowing user certificates to be automatically deployed without manual intervention.

The actual usage takes place in the Certificate Usage block. Here, the issued certificates are actively used—such as for authentication when accessing network resources. A typical example is Network Access Control (NAC). In this scenario, devices like laptops, smartphones, or printers must present a valid certificate when connecting to the company’s network via LAN or WLAN. Authentication is carried out via a RADIUS server, which verifies the certificate and grants access to the network entry point (e.g., switch or access point) if the certificate is valid.

It’s important to differentiate between application and certificate infrastructure: The NAC solution itself is not part of the PKI but uses the certificates provided by the PKI as a technical means to secure the network. So when referring to the “NAC use case,” it’s not the NAC application itself, but the use of certificates within that application scenario.

IAM – Identity and Access Management: How do certificates support secure IAM in the enterprise?

Digital certificates offer significantly higher security than traditional passwords because they are based on possessing a private key that belongs to the certificate. They allow reliable authentication and authorization of users and devices in corporate networks—such as for logging in to Windows, computers, or mobile devices, as well as integrating network components like firewalls, switches, or IoT devices.

Certificate-based methods are especially common in Microsoft environments. Active Directory (AD) serves as the central platform for managing identities, access rights, and policies. When combined with an authentication server like RADIUS, AD can ensure that only users or devices with a valid certificate are allowed access to specific network areas—such as a WLAN. The certificates are usually deployed automatically via Autoenrollment, which simplifies management and ensures a high level of security.

VPN – Network Security: How do certificates increase the security of VPN connections?

In Virtual Private Networks (VPNs), digital certificates are used to authenticate the identity of the communicating parties and establish an encrypted connection over insecure networks—such as the Internet. This is particularly important when employees need to access internal corporate resources from home or on the go.

Certificates also securely link multiple corporate sites over a VPN. Compared to traditional methods like username and password, certificates provide a higher level of security because they rely on asymmetric cryptography and possession of a private key.

Additionally, using certificates simplifies the management and scaling of the VPN service: They can be distributed automatically, centrally managed, and easily used in larger environments with many devices or user accounts.

NAC – Network Access Control: How do certificates secure network access via NAC?

Network Access Control (NAC) uses digital certificates to ensure that only authorized devices can access the company’s network infrastructure. These devices include PCs, laptops, printers, or mobile devices that want to connect to the local network (LAN or WLAN).

Before a device is granted access, it must first authenticate itself with a valid digital certificate at the network entry point—such as a switch or WLAN access point. This request is forwarded to a RADIUS server, which verifies the certificate’s validity. Only after successful authentication is the device granted network access.

This method greatly enhances network security by preventing unknown or untrusted devices from accessing internal resources—even if physical access to the network is available.

Secure Email Communication: How do certificates protect email communication?

Email certificates play a central role in protecting electronic communication both within an organization and with external partners. They enable the digital signing of emails, ensuring that the message actually comes from the specified sender and hasn’t been altered during transmission.

Additionally, emails can be encrypted using certificates to protect sensitive content from unauthorized access—especially when transmitted over the public internet. This prevents confidential information like personal data, contracts, or internal documents from being intercepted and viewed.

In many cases, publicly trusted certificates from so-called Public CAs are used, as these can be easily verified and accepted outside the company’s network.

SSL/TLS Web Server Certificates: Why are certificates used on web servers?

SSL/TLS certificates are essential for securing web applications and online services. They encrypt communication between the server and users, protect data from unauthorized access, and allow for the unique identification of the server.

Typically, certificates from publicly trusted Certificate Authorities (Public CAs) are used, whose validity can be automatically verified by all major browsers and operating systems. This ensures that users can trust a website—often indicated by the familiar padlock symbol in the browser.

For larger environments with many web services or subdomains, managing numerous certificates can become cumbersome. This is where Certificate Lifecycle Management (CLM) provides a central solution to efficiently manage the issuance, renewal, and timely expiration of certificates—avoiding downtime and security risks.

MDM – Mobile Device Management: How do certificates help secure mobile devices?

Mobile Device Management (MDM) platforms are central tools for managing, configuring, and securing mobile devices in an enterprise environment. Digital certificates play a crucial role in securely authenticating the communication between mobile devices, applications, users, and enterprise services.

By using a Public Key Infrastructure (PKI), devices can be uniquely identified and securely authenticated—such as when accessing email, VPN, or internal web services. When combined with Certificate Lifecycle Management (CLM), certificates can be automatically deployed, extended, and revoked on mobile devices.

This certificate-based MDM strategy not only enhances security but also simplifies the operational burden for IT teams, ensuring smooth and protected access to corporate resources, regardless of where the mobile device is located.

Digital Signatures for Documents: How do certificates ensure the integrity of digital documents?

Digital signatures based on certificates provide a reliable way to ensure the authenticity and integrity of electronic documents. They guarantee that a document actually comes from the specified sender and has not been altered after signing—an essential factor in the digital signing of contracts, legally relevant documents, or other sensitive content.

Document signing certificates are used for this purpose, which are provided through a PKI infrastructure. A Managed PKI solution with integrated Certificate Lifecycle Management (CLM) can automate the issuance, renewal, and possible revocation of these certificates. This ensures that signed documents—such as PDFs—are trusted and easily verified by end users and external recipients.

This form of digital signature not only provides legal security but also simplifies processes like contract signings or approval workflows in the digital realm.

Code Signing: How do certificates guarantee the trustworthiness of software?

Code signing uses digital certificates to verify the origin and integrity of software or firmware. Through digital signatures, it can be proven that the published code actually comes from the specified publisher—such as a software company—and has not been tampered with since signing.

For end users, this means they can trust the software source and be confident that the application or update has not been altered or infected with malware. If the signed code is modified, the digital signature automatically becomes invalid—an obvious indication of potential tampering.

Digital certificates for code signing are therefore critical for the security of software distributions, especially in automated installations, updates, or when rolling out firmware on devices. Companies can thus protect their products and strengthen the trust of their users.

Full control. More automation. Fewer errors.

PKI made easy & get started

We support you every step of the way to your own corporate PKI.

“We want
Non-PKI-Experts to be able to work like professionals.”

Answers to your questions about the 360° Managed PKI & CLM solution

Frequently Asked Questions (FAQ)

Product Features

Plans & Billing

Project & Upgrade Timing

Common Concerns

Microsoft PKI (AD CS)

Microsoft Cloud PKI for Microsoft Intune

Consulting & Support

Migration & Integration

Interfaces & Automation

Certifications

Use Cases

Full control. More automation. Fewer errors.

PKI made easy & get started

Contact Europe

Contact Americas

Partners