Enterprise PKI Automation & Management

Comprehensive managed PKI solution for mixed endpoint environments

Sign up for a Demo

Outsource PKI management to a trusted third party CA

Reduce total cost of ownership for PKI by as much as 50%

Support mixed environments, variety of use cases, public or private trust models

GlobalSign Auto Enrollment Gateway

GlobalSign’s Auto Enrollment Gateway (AEG) is a fully automated, managed PKI solution that addresses scalability in the modern mixed enterprise environment. AEG integrates GlobalSign’s hosted PKI solution directly with Active Directory, so enterprises operating Windows environments can automate certificate provisioning and management without the burden of maintaining their own expensive and complex Internal CA.

Support for SCEP and ACME v2 protocols extend support beyond the Windows domain, enabling certificate automation for Linux servers and mobile, networking, and other devices. Additionally, Apple OSX enrollment capabilities allow automated provisioning to all Apple machines and devices registered with Active Directory.

Replace your Microsoft CA with GlobalSign SaaS CA

  • Keep the automation benefits of Microsoft Certificate Services and Active Directory
  • Liberate IT to focus on core competencies, rather than cryptography and CA tasks
  • GlobalSign manages the security, high availability, and CA operations, ensuring you meet SLAs and compliance audit

Expand your deployment to endpoints outside your domain & add public trust

  • Issue publicly trusted certificates (e.g., secure email, public-facing webservers)
  • ACME v2 protocol support enables automated issuance to Linux servers
  • SCEP server functionality for issuing certificates to mobile and networking devices and integrating with MDMs

How AEG Works

The integration with Active Directory and support for SCEP and ACME v2 protocols allow for quick and seamless certificate registration and provisioning without sacrificing control. Certificates can be issued from a dedicated, private issuing CA hosted by GlobalSign or from GlobalSign’s public CAs (for use cases that require public trust), all based on GlobalSign’s highly available and secure world class infrastructure.

AEG Features

AEG can be installed on Windows Server 2008 R2 and 2012 R2 and offers unique features and functionality above and beyond what is included with a Microsoft CA, including optional public trust, SCEP and ACME v2 support, and Apple OSX enrollment capabilities. An intuitive user interface and ability to provision certificates to non-domain-joined objects make it easy to centralize, automate, and control all certificate activity across an organization.

Automated PKI Management

Automatically issue and manage certificates throughout their life cycle, including renewal, saving valuable IT resources and reducing the risk of expired certificates and resultant disruption in business workflows.


Outsourcing cryptography and certificate management services to a publicly trusted CA reduces the risk associated with managing and maintaining an in-house PKI operation and liberates IT to focus on core competencies and business-driving IT projects.

Support Mixed Endpoint Environments

Automate certificate issuance and management for both domain endpoints (e.g., Windows users, machines, and servers) and non-domain endpoints (e.g., Linux servers, mobile devices, networking devices, etc.).

Optional Public Trust Available

If you need publicly trusted certificates (e.g., for sending digitally signed or encrypted emails outside the company, securing public webservers), you can issue certificates from GlobalSign's publicly trusted root, rather than your hosted private root.

SCEP Server

Issue certificates to non-domain-joined objects (e.g., routers, mobile devices, non-Windows machines) using the SCEP server functionalities. Enrollment can take place using a manual enrollment website, or using a Mobile Device Management (MDM) platform (e.g., Microsoft Intune) linked directly to the SCEP server to issue certificates for their mobile devices.

ACME v2 Protocol Support

Use existing ACME v2 Client software to automate SSL certificate provisioning and installation on Linux servers in your Environment. Our ACME v2 implementation supports higher assurance OV and EV Certificates with flexible validity periods.

Many Certificate Templates Supported

A wide range of pre-designed certificate templates support a variety of use cases, including S/MIME (with key archival and recovery), smartcard logon, digital signatures for Microsoft Office documents, SSL, Encrypted File System (EFS), and user and machine authentication.

Key Recovery and Archival

During the certificate enrollment process, the private key is securely sent to a designated local server as part of the certificate request and is archived there. Using key archival and recovery is essential for S/MIME use cases, and helps protect encrypted data from permanent loss in the event that the original encryption key is no longer available.

Pre-designed Certificate Templates Support a Range of Use Cases

The Auto Enrollment Gateway can be used to enroll and issue certificates to all types of Active Directory objects, including users, servers, desktops, laptops, and Domain Controllers. A wide range of pre-designed certificate templates support a variety of use cases, including:


+91 11 41106000 or contact us online

Request your Automated PKI Deployment Demo!

Automate PKI without running your own Microsoft CA, or replace existing resource-intensive implementations, and expand support throughout your mixed endpoint environment. Talk to GlobalSign today.

By requesting a demo, a GlobalSign Product Specialist will contact you.

  • Outsource PKI management to a trusted, third party CA
  • Reduce total cost of ownership by as much as 50%
  • Support mixed environments, variety of use cases, public or private trust models