Go To Content Go To Menu


MTG Corporate PKI

MTG Corporate PKI was specially developed for enterprises to implement certificate management best practices, whether it’s SSL/TLS, S/MIME, Code Signing, Client, Device or IoT.

Need of an enterprise PKI

An enterprise PKI is a centralized service within an organization that provides strong cryptographic protection for the following use cases:

  • Enterprise identity management (authentication, authorization, access control) of employees using personalized and centrally managed login credentials
  • Enterprise-wide email protection using end-to-end encryption and authentication through digital signatures
  • Authentication of enterprise hardware (web servers, network routers, network switches, network printers, etc.) that provides protection against serious attacks on unauthenticated malicious or infected devices on the corporate network
  • Authentication of mobile devices (smartphones).




MTG Corporate PKI

MTG Corporate PKI implements and supports a Certificate Management Operation Policy by strict access control mechanisms that enforce the Principle of Least Privilege in certificate management. The highly granular permission system (by user, role, department, company, branch, etc.) provided by MTG Corporate PKI can cater even the most specific use cases.


Architecture of the MTG Corporate PKI I

Architecture of the MTG Corporate PKI (© MTG)

MTG Corporate PKI enables the automation of the entire certificate lifecycle. Issuance, renewal and revocation processes can all be centrally managed and controlled.  Certificate validity information can easily be queried via CRLs or the OCSP protocol.

The detailed certificate logging and auditing capabilities of MTG Corporate PKI enables to track and monitor all certificate management actions at any moment.

Optional add-ons can extend the functionality of the MTG Corporate PKI platform. For example MTG SmartBridge allows the integration of smart cards into the certificate management life cycle. In addition, it is possible to integrate and use the MTG Key Management System (MTG KMS) . This combination opens up a wide range of possibilities for the central management of cryptographic keys and certificates from different areas and processes.

User friendly GUI

The modern web graphical user interface (GUI) enables user-friendly operation - even for non-PKI experts. Interactive dashboards provide users a quick overview of all relevant information.

MTG Corporate PKI Certificate Creation Wizard

MTG Corporate PKI Certificate Creation Wizard (© MTG)

Automated Certificate Management for Microsoft Windows Infrastructures is seamlessly integrated with the support of our Premium Partner, Secardeo.

MTG Corporate PKI is based on MTG-CARA, an advanced PKI platform that is used for a various different PKI use cases (e.g. Public CAs, Card Verifiable certificates, X.509 certificates, travel documents, Car2x certificates).

Certification Authority (CA)

The Certification Authority (CA) is the central component of the PKI platform that is responsible for the security critical PKI operations like CA creation and management, issuance of administration certificates, HSM configuration and more. In addition, MTG CARA offers an integrated user administration with extensive role and permission management. The CA ecosystem is comprised of two CARA APIs and the CARA Administration Frontend.


The CARA Admin-API contains functionalities that serve to administer the platform, such as  the following:

  • Definition of roles and super roles
  • Administration of certificate and CRL templates and profile
  • Administration and creation of Virtual CAs
  • Administration, control and monitoring of HSM connections
  • Generation of certificates for CA administrators
  • Generation of CA certificates (self-signed or under another CA)

  • Signer Import from another CA instance
  • Administration of revocation lists
  • Verwaltung von optionalen CA-Modulen


The CARA-API provides most of the core functionality of the MTG Corporate PKI:

  • Authentication and Authorization of Registration Authorities (frontends)
  • Certificate management life cycle processes (e.g. request, approve, reject, retrieve, renewal)
  • Support of different certificate formats (e.g. X.509, Attribute Certificate (AC), Card Verifiable Certificate (CVC) "Generation 1" (RSA), Card Verifiable Certificate (CVC) "Generation 2" (ECDSA)

  • Key backup and export (e.g. PKCS#12, PKCS#8)
  • Certificate Bundling: management of multiple jointly requested certificates as a certificate bundle

  • Revocation list management: automatic and manual generation, CRL retrieval

  • OCSP responder function
  • Virtual CAs and domains

CARA Administration Frontend

The CARA Administration Frontend uses the CARA Admin-API and the CARA-API. The CARA Administration Frontend offers the following functionality:

  • Administration of VCAs
  • Administration of certificate templates
  • Administration of revocation list templates
  • Administration of revocation lists

  • Administration of roles
  • Assignment/withdrawal of administrative permissions
  • Administration of the various CARA modules
  • Administration of Key Encryption Keys (keys used to protect other keys)

  • Establish and control HSM connections
  • Creation of CA Signers (HSM, software) and CA certificates

Registration Authority (RA)

A Registration Authority (RA)  receives certification requests through various channels, evaluates each request based on a set of predefined, highly configurable policies and instructs the CA to issue the certificate. The MTG Registration Authority (MTG RA) offers a simple, easy-to-use graphical user interface in the form of a web application, that enables customers to create, revoke, approve and manage digital certificates.

Additionally, widely-used PKI protocols like ACME, EST and CMP can be combined and integrated with MTG RA to allow certificate enrollment through standardized interfaces.

The MTG RA is usually located on a different instance than the CA. The CA is thus not to be exposed to the Internet/intranet. It is therefore secured in a high-security zone behind a firewall that only permits outgoing connections via TLS. On the other hand, the RA sits in a low-security zone (i.e. a DMZ) that, depending on the use case, allows incoming connections either from the network or even beyond it. This even allows multiple RAs to be connected to the CA behind a load balancer.

MTG Enterprise Resource Security (ERS)

MTG ERS simplifies and centralizes the management of cryptographic keys and identities in companies and public organisations. MTG ERS consists of three aligned IT security elements: MTG Corporate PKI, MTG Key Management System and the appropriate hardware security modules. We thus ensure the industry-specific implementation and simple integration of a complete key management lifecycle in selected corporate processes.

Download & Links

What can we do for you?

For further information feel free to contact us!

Lädt …