Public Key Infrastructure

Public Key Infrastructure

A carefully established Public Key Infrastructure (PKI) is essential for every company, but requires a variety of components and technologies.

Our experience covers all established PKI standards and technologies such as X.509, OCSP, CMP and LDAP.

When it comes to design, set-up or expansion of PKIs, you will find us to be a professional and technically experienced partner.

Certificate Management in Cloud Environments

We adapt your PKI to cloud native environments and rely on scalable, automated certificate management.

  • Setting up and operating PKI in cloud environments. Secure configuration of the certificate management systems of various cloud providers. Use of infrastructure as code.
  • Automation of certificate management for cloud native applications that use a variety of cloud services.
  • Scalability of PKI up to large clusters and service meshes.
  • Standardised certificate management in the cloud and on-prem, taking into account existing security and compliance requirements while avoiding isolated solutions.

Certificate Rollout with Microsoft Intune

In a customer project, end user devices (e.g. iPads and Windows laptops) are to be automatically supplied with WiFi and VPN certificates from the company's internal PKI.

The cloud-based Intune serves as the mobile device management (MDM) platform, which is seamlessly integrated into the organisation's internal PKI.

A SCEP server developed by NOVOSEC acts as a rollout endpoint that verifies Intune requests and, after successful verification, forwards them to the PKI for certificate issuance.

Load scenarios of the downstream systems are taken into account during configuration.

In cooperation with the customer, network and firewall configurations were defined and implemented in order to secure system access.

The internal PKI was expanded to include dedicated certificate templates for each device type corresponding to security parameters in accordance with the company policy.

A key focus was placed on the use of unique device IDs in connection with the certificate rollout to ensure precise assignment of certificates to dedicated end devices.

Automatic Configuration of S/MIME-Certificates in Outlook

S/MIME: Certificate Rollout

Encrypting emails with S/MIME can make an important contribution to secure communication in companies. However, this requires the corresponding S/MIME certificates to be installed on each user's computer and the mail client to be configured for usage of the certificates.

The Environment: Windows, Outlook, Entra ID

Windows computers with Microsoft Outlook are used. The S/MIME certificates are provided by a central certificate management system. OpenID Connect is used to access this system, with Entra ID as implementation on server side.

Our Solution: Automatic Distribution and Configuration of Certificates

Distribution and configuration of certificates is done using client software that offers the following features, among others:

  • Installation via centralised software distribution on the user PCs.
  • Use of the respective user login for authentication with Entra ID.
  • Automatic configuration of the Outlook profile.
  • Automatic certificate renewal prior to expiry.
  • No action required by users, no time-consuming and cost-intensive training required.
  • Easily scalable thanks to centralised control and also suitable for large numbers of user.
„Encryption is too important to be left solely to governments.”

Bruce Schneier

Local Decryption of Encrypted E-Mails

Emails are to be stored unencrypted in the customer's central archives.

For this purpose, a system was set up that receives emails to be archived, removes existing encryption and forwards the processed emails to the archiving systems.

The keys required for S/MIME decryption are retrieved from the central S/MIME certificate management infrastructure while removal of AIP protection is performed via API calls against the AIP rights management system in the Azure Cloud.

Self Service Portal

We provide a front end for third-party certificate management systems (CMS) based on our GlobalPKI Self Service Portal. All GUI texts and profiles can be configured by the customer. API calls are used for connections to the backend services.

  • User authentication with SSO.
  • RBAC for all functions and certificate profiles.
  • Support for multiple pre-defined certificate profiles, configurable by the customer.
  • Certificate requests can be based on CRS-Upload and and editing parameters.
  • All requests are checked against the validation rules of the profile (e.g. whitelist, blacklist, length, regexp, customised validators).
  • Support for additional metadata (contacts, lifespan).
  • Direct specification of the distribution target (e.g. Windows computer).
  • Mass import via Excel templates.
  • Workflows for request approval.
  • Download of private keys and certificates.
  • E-mail notification with pre-filled request prior to certificate expiry.
  • Automatic certificate renewal function.