Use Cases
MTG Certificate Lifecycle Manager optimizes all certificate-related processes for the entire certificate lifecycle. Issue, renewal and revocation processes can all be centrally automated, managed and controlled for various use-cases.
Automation in Certificate Lifecycle Management
Automation of Certificate Lifecycle Management is essential when dealing with large and complex, multivendor certificate environments for use cases such as IoT, server, clients and mobile.
- Support for all major PKI interfaces like ACME, EST, CMP
- Support of ACME Certbot Client and other ACME clients
- REST API and REST CLM Client for automation of non-standard components
- Automatically renew and audit the installation of X.509 certificates
- Automated revocation service using OSCP and / or CRLs
Certificate Discovery - Full Transparency!
The Certificate Discovery function enables a systematic scanning for unknown certificates. Thanks to network-based sensors and agents all company public and private TLS/SSL certificates are identified and added to the certificate inventory. Dangerous outages due to expired certificates or expensive manual handling is consequently avoided.
- Create a digital inventory of all the company’s public and private TLS/SSL certificates.
- Discover unknown certificates across a diverse environment.
- Analyze deployed certificates for crypto primitives used and identify
potential risks. - Get a complete visual overview through helpful dashboards over all deployed certificates and associated devices.
- Stay informed about upcoming expirations.
- Use flexible certificate policies to monitor, notify and renew expiring certificates.
- Identification and automatic system import of large number of certificates without additional manual effort.
Complete and Cost-effective Employee Onboarding!
All required certificates can be issued in a systematic and complete procedure. A structured setup of authorizations ensures workflows in line with compliance guidelines.
- Automated device provisioning with User, VPN, SMIME and CA certificates
- Expiration notification and automated renewal
- Automated import of certificates into LDAP and Active Directory
- Map existing authorization structures and processes to certificate issuance (Ex. Active Directory roles)
- Onboarding Software integration possible (e.g., ServiceNow)
Automated Digital Certificate Provisioning for Server!
Automated seamless provisioning of digital certificates prevents server downtime and resulting costs and damages. It ensures the availability of internal services, production or the accessibility of corporate websites.
- Support for Windows and Linux Servers
- Provision of Active Directory managed servers
- Support for the ACME protocol
- Fully automated certificate renewal
- Additional flexibility and configurability thanks to CLI client
Quick and easy provision of digital certificates for networked devices
Networked office hardware (e.g., printers) and other smart devices (e.g., cameras) are major potential entry points for hacker attacks. However, protecting them with certificates is a heterogeneous and complex process that is therefore often not carried out. Fast and easy provisioning is thus an important function of the MTG Key Lifecycle Manager.
- Support for all major network hardware manufacturers
(Cisco, HP, Palo Alto, etc.)- Support of all SCEP and EST based devices
- Other devices with individual clients possible
- Support for Active Directory managed devices
Architecture
The MTG CLM architecture is part of the overall MTG ERS ® system. This means that the system can be expanded with further important security components whenever required. This includes the :
- MTG Certificate Authority,
- the MTG Enterprise Key Management System
- and the appropriate Hardware Security Modules.
The targeted entities (servers, clients, IoT devices...) can be optimally accessed and managed via standard or MTG-specific automation clients.
MTG CLM supports a wide range of internal and publicly trusted CAs: e.g., Microsoft CA, LetsEncrypt, Deutsche Telekom (etc.). Security manager are thus relieved of the exhausting task of accessing each CA individually in order to gain insight and control over each certificate.
Key Features
MTG Certificate Lifecycle Manager offers a comprehensive set of features that provide all the tools needed to implement certificate-based use cases quickly and effectively.
Detailed Monitoring & Reporting!
Always track the status of your certificates and avoid surprises! MTG CLM provides a comprehensive notification system about certificate status changes. Users are informed in time and several times before certificates expire. Punctual and seamless renewal is thus ensured at any time.
- Extensive, user-friendly dashboards provide insights into the certificate state of each business domain and allow a quick overview at-a-glance.
- Advanced filtering and search functionality enables easy identification and presentation of results that can then be easily exported in CSV format for further processing.
- Audit metadata is tracked throughout all application steps and is readily available to MTG CLM administrators.
Create & support multiple business domains
The MTG CLM allows an individual organization of access rights for digital certificates.
- The respective areas (realms) can be structured according to departments, user groups or hierarchies, for example.
- It is also possible to differentiate between authorized users who can only view certificates and those who can configure them.
- Notification rules can be customized accordingly.
- The user interface adapts to the respective settings.
Certificate Policy Enforcement - Complete and Failure-free Generation of Certificates!
The Policy Enforcement Form contains a comprehensive collection of rules that are required for the configuration of different certificates. This ensures that entries are complete, error-free, and compliant. Individual policies can be created for emails, servers, networked hardware or mobile devices.
Preconfigured policies are provided for common use cases!
- Limitation of the choice to only approved algorithms
- Permitted use of specific key material
- Setting of the validity of certificates
- Choice of manual or automatic approval of certificate requests
- Establishment of a 4-eyes principle
Access Control & Compliance!
The role and rights management can be managed centrally and offers detailed options for the settings of certificates and certificate holders.
Configuration options are possible on several levels (per user, realm & policy).
Central Identity Management with Keycloak!
Keycloak allows to flexibly use different authentication protocols for all MTG ERS® applications (CLM, PKI, KMS) via a central sign-in and sign-out function.
- OpenID Connect and SAML support
- Support for Google reCAPTCHA to safeguard registration against bots
- Multi-factor Authentication with OTP for additional security (TOTP, HOTP)
- Strong Authentication using X.509 Certificates
- Configurable Password policies with options for length, characters, complexity, etc.
- Configurable Authentication Flows that enable fine-tuning of each login process
- LDAP, Active Directory and Kerberos Integrations available
- Support for the latest W3C Web Authentication (WebAuthn) specification
- Access all ERS applications (CLM, PKI, KMS) via a central sign-in and sign-out function.