Why PKI Automation is Mandatory Today
Digital signatures and S/MIME/PGP encryption are essential for KRITIS organizations, hospitals, research institutions and suppliers. But the manual certificate process creates pain points:
• Helpdesk must create CSRs, operate trust center portals, distribute PFX.
• Certificates expire → "Email could not be signed/decrypted".
• Revocation during personnel changes takes days.
• No transparency about validity, algorithms, revocation status.
mail:u secure automates the complete lifecycle of S/MIME/PGP certificates & key material - without any action from the departments.
Functional Scope Overview
| Module | Task | Benefit for Secure Data Transfer |
|---|---|---|
| Enrollment Service | Requests new certificates from trust centers via SCEP, ACME, REST-API | Zero-touch provisioning for employees |
| Renew Daemon | Automatically renews upcoming expirations (< 30 days) | No more "certificate expired" emails |
| Revocation Engine | Revokes keys during offboarding or incident | Quick response to theft/loss |
| Directory Sync | Reads AD / Entra ID / LDAP groups, generates CSR | Role-based certificate assignment |
| Reporting Dashboard | Live status, algorithms, runtimes, SHA fingerprints | ISO & KRITIS audit at the push of a button |
Supported Trust Centers & Algorithms
D-TRUST
SwissSign
Sectigo
Telekom Trust Center
Own CA / Microsoft ADCS
Typical PKI Workflows
Auto-Enrollment via Entra ID
User joins MailEncrypt_Prod group.
Directory sync triggers CSR generation.
Enrollment service receives new certificate from D-TRUST.
Certificate & private key are stored in gateway keystore.
Mail client can encrypt & sign immediately.
Renewal without Interruption
60 days before expiration → Renew daemon initiates re-issuance, keystore is atomically replaced, old key remains valid in parallel for 30 days.
Immediate Revocation on Incident
HR or SOC system calls REST endpoint /revoke/.
Blocks private key.
Reports revocation to trust center.
Updates gateway CRL & OCSP cache, notifies admin & compliance officer.
Compliance Mapping
| Requirement | PKI Automation Added Value |
|---|---|
| DSGVO Art. 32 | State-of-the-art cryptography, documented key lifecycle |
| NIS2 | Key management and revocation time ≤ 24 h |
| ISO 27001 Annex 10.1 | Automated certificate issuance & renewal |
| B3S Healthcare | Protection level "high": keys in HSM, 2FA admin |
| IT-SiG 2.0 (§8a) | Demonstrable PKI process, audit trails, alarming |
Technical Deep Dive
Service Architecture
Container cluster, microservice "pki-enroller", "renew-daemon", "revoker", REST gateway.
Security
Admin portal only via MFA, role-based access (Issuer-Admin, Auditor, Viewer).
Performance
Parallel enrollment > 500 certificates/hour, renewal batch via queue, ACME support.
Seamless Integration
Migration & Interoperability
PKI automation supports migration of existing certificate stocks and ensures interoperability with various systems and platforms.
• Migration Script: Converts passphrase-protected PFX to Gateway keystore
• CRL Cache Sync: Synchronization with existing mail appliances for hybrid operation
Migration takes place without interruption of ongoing operations and ensures that all existing certificates are seamlessly integrated.
'%3e%3ccircle%20cx='493.5'%20cy='493.5'%20r='249.5'%20fill='url(%23paint0_linear_144_957)'/%3e%3c/g%3e%3cdefs%3e%3cfilter%20id='filter0_f_144_957'%20x='0'%20y='0'%20width='987'%20height='987'%20filterUnits='userSpaceOnUse'%20color-interpolation-filters='sRGB'%3e%3cfeFlood%20flood-opacity='0'%20result='BackgroundImageFix'/%3e%3cfeBlend%20mode='normal'%20in='SourceGraphic'%20in2='BackgroundImageFix'%20result='shape'/%3e%3cfeGaussianBlur%20stdDeviation='122'%20result='effect1_foregroundBlur_144_957'/%3e%3c/filter%3e%3clinearGradient%20id='paint0_linear_144_957'%20x1='371.5'%20y1='477.5'%20x2='680'%20y2='363'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23E42FE8'/%3e%3cstop%20offset='0.265625'%20stop-color='%236FCBFE'/%3e%3cstop%20offset='0.494792'%20stop-color='%239FB4FC'/%3e%3cstop%20offset='0.776042'%20stop-color='%23B7E4BB'/%3e%3cstop%20offset='1'%20stop-color='%236CF760'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Do you have any questions?
FAQ
Yes, via REST API or UI - certificate path + private key upload.
Qualified Remote Signing via SwissSign / D-Trust QES Gateway is in pilot.
Optionally in internal HSM clusters (PCIe or Network HSM) or software-based with AES-256-at-rest.
Do you have more questions? Contact us