PKI as a service

dblas · January 27, 2024, 10:55pm

Hello to all,
Does someone know about a good provider of PKI as a service in Europe (don’t want to hear about Entrust, GlobalSign or others)?

Thank you,
db

saper · January 28, 2024, 1:22pm

I have tried two European ones who ended up being GlobalSign resellers to get S/MIME email signing and I am not happy with any of them.

dblas · January 28, 2024, 2:03pm

Funny, isn’t it?
In France we have 2 french providers at least:
Nexus which is the brand name for the PKI service of Imprimerie Nationale (renamed IN a few years ago) ;
CertEurope which is an eIDAS-compliant USB sticks provider.
But no one answers: typical behaviour in France.
That’s why I’m looking from provider from another country: Germany, Italy for example.

Thank you for your information.
I’m carrying on,
db

saper · January 28, 2024, 2:11pm

What are you looking for exactly?

I was looking for S/MIME certificates (very bad situation) but I also have two qualified digital signature cards, one from Estonia (so-called e-Residency, very recommended) and one from Poland (Eurocert) - they are fine.

dblas · January 28, 2024, 6:14pm

A typical PKI as a service from which devices can retrieve, update their signed private/public keys using common protocols like SCEP, CMP and EST as well as a service that offers RA functions through a web portal.
Of course I know EJBCA, openxpki, DogTag or Boulder and, of course, even openssl but I do not want to be involved in management.
As you may know, PKI is 10 % technique and 90 % for the management.

db

saper · January 28, 2024, 6:16pm

I know one Swedish supplier for this, but I do not recommend them

bernd · January 28, 2024, 9:29pm

`step-ca` server ?
Yes not a provider but as I have been told a good wrapper. Iirc they offer also a managed hosted service… Maybe it’s an option?

jan · January 29, 2024, 10:00am

Another option might be SSL Certificates, Electronic Signature, Code Signing: Certum . I don’t have enough experience with them (yet) to recommend or not recommend them. At least they are cheaper than many others.

dblas · January 29, 2024, 10:14am

Interesting. I didn’t know about them.
Thank you for the reference.
Above all we have " * Issue short-lived SSH certificates via OAuth OIDC single sign on."
But, there is no support for self-retrieved certificates using something like CMP or EST.
That’s essentially based upon ACME.
Moreover,

Very limited options for active revocation (CRL, OCSP)
Very limited options for legacy CA protocols
db