The larger the number of digital certificates in a company, the higher the associated administrative effort. Unregulated processes and responsibilities increase the risk of certificates unintentionally expiring, which can lead to operational malfunctions and even complete system failures. The growing number of certificates, combined with increasingly shorter validity periods, calls for management solutions and automation.

Among the challenges of increasing certificate inventories are, among others:

  • Central overview and control of the certificates within the company, such as their number, expiration dates, installation locations, etc.
  • Definition of processes and procedures for all those involved in the certificate process
  • Ensuring compliance requirements, such as certificate policies
  • Managing and billing multiple CAs
  • Unintentional expiration of SSL certificates
  • Fast and easy issuance, installation, and renewal of SSL certificates
  • Secure storage of sensitive key material

The developers at essendi it have taken on these challenges and developed essendi xc, an innovative and powerful platform for managing digital certificates.

essendi xc is a comprehensive management system with a company-wide repository for various certificates and certificate types. It covers the complete certificate lifecycle from request to installation. This ensures that certificate inventories are always in view, including those automatically issued and distributed via ACME (details below). essendi xc simplifies certificate processes and enables individually definable automation of workflows, e.g., for validation, issuance, and renewal of certificates.

TLS, ACME, and Let’s Encrypt
For secure data transmission, digital certificates in connection with TLS (Transport Layer Security) have now become established. For the simple and free issuance of TLS certificates, the certification authority Let’s Encrypt, in connection with ACME, has become widely adopted.

Requesting Certificates with ACME and essendi xc
To enable Let’s Encrypt to quickly and automatically verify domain ownership, the ACME protocol (Automatic Certificate Management Environment RFC8555) was created. ACME reduces the effort required to issue a certificate for both the end user and the certification authority. The associated tools are widely used and support the automation of domain validation as well as the installation of certificates on the web server.

ACME-based clients such as Certbot allow for full automation of the issuance of TLS certificates (X.509) for a web server. This makes it possible to fully automate the installation of issued certificates in well-known web servers such as nginx, Apache, and IIS. Administrators particularly appreciate the additional benefit that no manual intervention is required even when renewing a certificate.

The Limitations of the Certification Authority Let’s Encrypt
If the requirements for TLS certificates go beyond domain validation, Let’s Encrypt certificates are not suitable. Neither organization validation nor other certificate types, such as those required for signing emails, documents, and code, are available. For this, additional CAs must be used.

So how can one maintain an overview and control of these certificates, which are largely managed automatically and without involvement of PKI/security administration? And how can the handling of the various CAs behind them be combined?

Greater Reach of ACME and Let’s Encrypt with the essendi xc ACME Adapter
With the ACME adapter from essendi xc, the possibilities of ACME are comprehensively extended. The xc ACME adapter combines all the advantages of an ACME client like Certbot (automation, renewal of certificates, and distribution into various target environments, etc.) with the benefits of the professional certificate management platform essendi xc (extension of the spectrum of certification authorities and certificate types of all kinds, etc.).

ACME clients like Certbot can, in combination with the essendi xc ACME adapter and essendi xc, request certificate types of all kinds. The essendi xc ACME adapter supports DNS and HTTP challenges by default. Additional validation rules can be stored in essendi xc and automatically checked.

In addition to essendi xc’s functionalities for monitoring and managing certificates, various certification authorities can be integrated. This multi-CA capability of essendi xc provides the option to request certificates from any certification authority via the ACME protocol. A large number of public and private certification authorities are already connected. Examples include D-Trust, DigiCert, SwissSign, and Microsoft PKI. Integration of additional certification authorities is possible.

Your Benefits at a Glance
With essendi xc, ACME becomes even more powerful and is enhanced with the following additional features:

  • High degree of automation and use of established and accepted methods for certificate requests
  • All certificates in essendi xc are monitored and centrally controlled in the repository.
  • Compliance-compliant standard processes can be defined in essendi xc according to your company’s standards.
  • Certification authorities can be freely chosen thanks to the multi-CA capability of essendi xc. Certificates from public CAs such as SwissSign, D-Trust, etc. are also possible. If required, switching the certification authority is easy.
  • Certificates can be revoked directly from essendi xc.
  • The usage profile of certificates can be extended with additional attributes, e.g., in the subject.
  • essendi xc ensures that digital certificates comply with your compliance requirements.
  • Certificates enriched in this way allow organizational assignment, grouping, and validation.
  • No limitation on the number of issued certificates

Possible application areas beyond the automation of web server certificates can be found, for example, throughout the Internet of Things, in cloud environments (e.g., in conjunction with Docker), and in email communication.

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.