Public Key Infrastructure Certificate Rotation Service

The Vendor is required to provide s for an advanced Public Key Infrastructure (PKI) Certificate Rotation and Lifecycle Management (CLM) Service.
- This solution must provide full automation for managing digital certificates across all university campuses and university institutions.
- Goal: Implement an enterprise-grade CLM platform to achieve zero-touch automation of the certificate lifecycle (discovery, issuance, provisioning, renewal, and revocation) to prevent outages, ensure crypto-agility, and centralize certificate visibility across the entire university.
- Furthermore, industry standards (CA/B Forum and major browsers like Google) are rapidly reducing public certificate lifecycles from 398 days to 90 days or less by 2029.
- Full Lifecycle Automation: Must provide zero-touch automation for certificate requests, issuance, provisioning, renewal, and revocation for all supported environments, eliminating human intervention.
- Discovery and Inventory: Ability to discover, scan, and inventory all existing public and private certificates across the network, including servers (Windows/Linux), load balancers (e.g., F5), firewalls, and application platforms (e.g., IIS, Apache, Java Keystores).
- Protocol Support: Native support for the ACME (Automatic Certificate Management Environment) protocol for public certificates and support for other enrollment protocols like SCEP and EST for internal machine and device certificates.
- Role-Based Access Control (RBAC): Provide granular RBAC to delegate certificate management permissions to specific departmental IT staff (ITCs) while maintaining centralized policy enforcement.
- API Integration: Offer a robust REST API for integration with existing EIT orchestration, monitoring, and ticketing systems (e.g., TeamDynamix).
- Microsoft ADCS Integration: The solution must provide full, secure, and seamless integration with Microsoft Active Directory Certificate Services (ADCS) to automate the lifecycle of internal private certificates. Describe the mechanism used for this integration.
- Cloud Environment Support: Support for automated provisioning and renewal of certificates in major cloud environments (e.g., Azure Key Vault, AWS Certificate Manager/Load Balancers).
- Operating System Compatibility: Ability to deploy agents, network agents, or ACME clients on a wide variety of OS and server types, including Windows Server, RHEL, and Ubuntu.
- Endpoints: Automated management for IIS, Apache, Java Keystores, Oracle Wallet, and Nginx deployment in Docker containers.
- Audit and Compliance Reporting: Provide automated, audit-ready reports on all certificate activities, expiration dates, non-compliant certificates (e.g., weak key use), and policy violations.
- Expiration Alerts: Real-time, customizable alerts and notifications for critical certificate expiration and status changes.
- Key Protection: Detail native integration and management capabilities with industrystandard Hardware Security Modules (HSMs) for key storage and protection.