GITRIX Internal Certificates: Your Own Corporate PKI Without Hassle or Security Risks

Internal certificates are the invisible engine of your corporate security. They enable secure computer logins (Smartcard Logon), data encryption, digital signing of internal documents, and secure VPN access. However, managing an internal certification authority (PKI) is often complex and requires high administrative privileges, which represents a security risk.

With the Internal Certificates module from the GITRIX system, you get an elegant and highly secure tool that wraps the complex Active Directory Certificate Services (AD CS) infrastructure in a user-friendly and fully automated environment.

Key Benefits of the Module for Your Organization

• Secure delegation. Operators without CA access: Allowing regular IT helpdesk or HR department employees direct access to the certification authority server is a huge security risk. GITRIX eliminates this problem. Your operators issue and manage certificates from the clear GITRIX application, without having any administrative rights to the certification authority itself. The network architecture thus remains intact and completely secure.
• Certificate issuance at a single click: Equipping a new employee has never been easier. As soon as an operator assigns a smart card or mobile application to a user in the system, issuing the necessary internal certificates (e.g., for Windows login) is literally a matter of one click. No complex request generation or manual approvals.
• Support for all your corporate templates: Do you need one certificate for Windows login, another for email encryption, and a third for corporate VPN? The GITRIX system fully supports the use of various user templates defined in your Active Directory. You determine exactly what certificates each employee should get.
• Lightning response: Immediate revocation and CRL updates: When an employee loses their smart card, seconds matter. The operator revokes the certificate with one button in the GITRIX system. And most importantly — GITRIX takes care of the automatic and immediate update of CRL lists (lists of revoked certificates). Your network immediately knows that the given certificate must not let anyone in. The system also automatically detects revocations made outside GITRIX, so you always have 100% current data.
• Smart renewal system: Don’t let key employees’ certificates expire. The system contains an advanced renewal request mechanism. This can work manually (the user or operator confirms the request), or completely automatically without human intervention.

Don’t Have Your Own PKI? We’ll Build One for You

If your organization doesn’t yet have its own certification authority, or the existing one doesn’t meet modern standards, our team will design and set one up for you as part of the implementation. We standardly build a robust and secure 2-TIER architecture (two-layer certification authority). You can choose between the ONLINE-ONLINE variant, or for maximum security of critical infrastructure, the preferred OFFLINE-ONLINE variant (where the root CA is safely disconnected from the network).

Technical Background: Architecture Built on Security

The GITRIX solution does not create security vulnerabilities, but instead strictly follows best practices and uses native Microsoft environment functions. How does the certificate issuance process work technically?

• Quiet background operation (Service): Communication with your Active Directory is ensured by a special component (AD Connector) that runs as a continuous system service (Windows Service) under a dedicated service account. No interactive administrator logins are required.

• Cryptographic seal (Enrollment Agent): For the authority (CA) to know that a certificate issuance request is legitimate, it doesn’t issue it to just anyone. Every request (CSR) created by an operator is securely signed in the background by a special technical certificate Enrollment Certificate Agent. The CA thus issues the certificate only based on this provable cryptographic authorization.

• Strict isolation (AD connector separate from CA): A fundamental security element of the architecture is the physical separation of roles. The communication AD connector runs on its own, separate server — completely separate from the server where the certification authority itself is located. Your CA thus remains safely isolated and protected from direct external access.

Optional Synergy for Absolute Certainty

The Internal Certificates module can be directly linked with the GITRIX CA Backup tool. You get not only a top-class certificate management tool, but also a fully automated backup insurance for lightning-fast recovery of the certification authority itself in case of a disaster or ransomware attack.

Simplify your internal PKI management. Eliminate errors, protect your administrator accounts, and speed up certificate issuance with the GITRIX platform.