DARZ Corporate PKI with Certificate Lifecycle Management
As a provider for PKI solutions, DARZ GmbH has developed a Corporate PKI in cooperation with MTG AG, which secures all company-relevant processes over the entire lifecycle of certificates. Processes for issuing, renewing and revoking certificates can be centrally automated, managed and controlled for various use cases (e.g. e-mail certificates, router and server certificates or the secure connection of home office workstations). Certificate Lifecycle Management ensures that no certificates expire unintentionally and allows many associated processes to be automated.
Setup Root-CA
A dedicated Root-CA is set up for each customer as a trust anchor for the entire company.
Setup Sub-CA
The customer receives a Sub-CA under this Root-CA which can be used to issue its use-case-specific certificates. Additional Sub-CAs can be set up easily at the customer’s request. This makes sense, for example, if different trust chains need to be defined for different areas of the company.
Private & Public Certificates
With the Managed PKI, private certificates can be generated and managed cost-effectively for a wide range of use cases in the company.
In addition, it is possible to use the Managed PKI to apply for public certificates directly from public CAs and then manage them in the Managed PKI.
Hotline DARZ
Ticket system and hotline are available for questions and in case of problems.
Operation and Managed Services
The Managed PKI is operated in an IS027001 and DIN EN50600 Cat lll certified data center in a geo-redundant and fail-safe manner.
The Managed Service includes:
- The setup and configuration of the dedicated Root- and Sub-CAs, CLM, ACME EST, CMP servers and OCSP responders by experienced PKI experts in accordance with BSI crypto specifications as per TR-03116
- The connection to a HSM cluster
- Security patch management of the underlying operating systems and databases
- Maintenance of the PKI software
- Monitoring the availability of the infrastructure and applications
- Proactive monitoring of log files
- Monitoring and renewal of the certificate validity periods of the Root-CA and Sub-CA
- Backup and restore processes
- Ensuring PKI availability requirements, especially for the provision of revocation information (e.g. OCSP service)
Trainings
Detailed training videos are available online for users for the essential functions.
Consulting packages
Helpful consulting packages facilitate the entry into PKI operation and support the preparations as well as the implementation of concrete use cases: e.g. consulting for the automation of processes, creation of a Certificate Policy and Certificate Practice Statement, design of certificate templates, set-up of a comprehensive reporting system, etc.
Professional Services
With a Professional Service Agreement concluded directly with MTG, users receive full support from MTG’s experienced PKI experts on request.
Managed PKI vs. On-Premise PKI
Implementing and operating an on-premise PKI is a demanding and complex task. This path is particularly useful for companies that want to implement special use cases and requirements. These can be, for example, regulatory requirements that have to be met, or also the equipping of IoT devices with certificates during production. The implementation of extensive services (e.g., in the health care sector) would be another suitable use case for an on-premise PKI. It may be that the operation is simply large enough and both the existing infrastructure and the required specialist staff are in place to run their own PKI on-premise.
For most other cases, it is worth looking at a Managed PKI. Such an offering can be implemented with significantly less effort and preparation time. Trustworthy authentication, verification, integrity and encryption for critical and sensitive business processes and applications are thus available at short notice. Companies can concentrate more quickly on securing their business processes and use the ready-built PKI directly. This is because with a Managed PKI, there is no need to worry in advance about secure configuration, backup concepts, fail-safety, scaling or access rights, or to provide the necessary infrastructure. There is no need to build up in-depth PKI and IT security know-how with the appropriate specialist staff and training. The handling of hardware security modules and the required specialized knowledge can also be left to the service provider.
The costs for an on-premise PKI are usually much higher than the relatively low costs for software licenses due to high personnel, infrastructure and operating costs. Even free open source PKI solutions therefore do not make a significant contribution to reducing overall costs.
A modern managed PKI should come from a trusted provider and be able to be set up decidedly for the user. It should scale with the requirements and protect the keys according to the state of the art. Simple user-friendly operation and up-to-date certificate lifecycle management are important selection criteria. Last but not least, the costs for operation should be transparent.