Auto Enrollment Gateway (AEG) - GlobalSign's PKI Certificate Automation and Provisioning Service for Active Directory Driven Environments
by GMO GlobalSign, Inc.
Fully automate the management and deployment of PKI certificates using active directory policies
AEG acts as a direct gateway/proxy between your Active Directory and GlobalSign PKI services. Automatically deploy certificates directly to your endpoints for a variety of use cases e.g. device or user authentication, SSL certificates or secure email.
How do you do this? By using a set of services that work cohesively together to automate and manage your PKI using your own system policies. The services are:
- Your Active Directory (AD) – this manages your IT Users, Devices, and Network Hardware (IT Assets) using policies – the Assets are User’s devices (laptops, mobile devices etc.), workstations, servers and network devices that are used to operate your entity; this can also be Mobile/Universal Device Management (MDMs/UDMs) policy services.
- Auto Enrolment Gateway (AEG) – this is your PKI engine. AD tells AEG what and when assets need to be secured using policies defined by your entity; this would use AD 'Auto Enrollment' protocols. This could also be ACME, or SCEP (for MDMs) for example.
- GlobalSign – this is your Certification Authority (CA) and hosted PKI infrastructure – when policies dictate, AEG pulls trusted digital certificates from your service within GlobalSign’s CA and installs them directly into the asset. This gives the asset an identity allowing Active Directory to recognize and trust the asset when it is in use (tries to connect or access services).
How does AEG work:
AEG software acts as a proxy between GlobalSign’s Software as a Service (SaaS) Certificate Authority, forwarding all certificate enrollment requests to GlobalSign. GlobalSign manages the security, high availability, and CA operations, while organizations retain control of users, policies and assets. The integration with Active Directory allows for quick and seamless certificate provisioning without sacrificing control. By configuring AD Group Policies, the administrator dictates which users or machines are allowed which type of certificates.
Our Managed PKI Provisioning Service can be used to enroll and issue certificates to all types of Active Directory Objects, including users, servers, desktops, laptops, and Domain Controllers.
AEG secures connectivity and provides identity services for all your AD integrated users and devices; it encompasses all the following use cases but is not limited exclusively to them:
- Client Authentication for User accounts
- Client Authentication for Machine access to Networks
- Client Authentication for Smart Card Logon enabled User accounts
- S/MIME signing and encryption for User email accounts (optional Key Recovery Agent (KRA) )
- Privately Trusted SSL for Internal Web Servers
- Client and Server Authentication for Network Devices
- Client Authentication for Mobile Devices
At a glance