Cloud Certificate Management

Cloud based certificate management is offered by each of the major cloud vendors. The level of certificate management capability provided by these vendors varies and is usually limited to the certificate used within the services provided by the cloud provider.

This factsheet provided a comparison of the capabilities provided by the cloud providers and compares those to the capability provided by Cogito Group's Jellyfish product and SecureSME  platform.

The Platforms

GCP Certificate Manager (GCP CM)

GCP Certificate Manager is a fully managed service from Google Cloud Platform (GCP) that helps you provision, manage, and deploy TLS/SSL certificates for your applications running on GCP. It was created to simplify and automate how certificates are handled for services like load balancers, cloud run services, and Google Kubernetes Engine (GKE) clusters.

Azure Key Vault (AKV)

Azure Key Vault is a cloud service offered by Microsoft Azure that provides a secure and centralized platform to manage cryptographic keys, secrets (such as API keys, passwords), and certificates. It is designed to help safeguard cryptographic keys and secrets used by cloud applications and services, ensuring that sensitive information is stored securely and that access is tightly controlled and monitored.

Microsoft Cloud PKI (MCPKI)

Microsoft Cloud PKI is a cloud-based service for Microsoft Intune that simplifies and automates certificate lifecycle management for Intune-managed devices. It provides a dedicated PKI for an organization without requiring on-premises servers, NDES, Intune certificate connectors, or customer-managed hardware. Microsoft Cloud PKI supports private certificate issuance, renewal, revocation, SCEP-based certificate registration, cloud-hosted CRL and AIA endpoints, reporting, RBAC, and deployment models using either Microsoft Cloud PKI root and issuing CAs or bring-your-own CA (BYOCA) anchored to an existing private CA.

AWS Certificate Manager (ACM)

AWS Certificate Manager is a service by Amazon Web Services that enables users to easily provision, manage, and deploy public and private TLS/SSL certificates for securing websites and applications. ACM handles much of the heavy lifting involved in managing certificates—including issuing, renewing, and deploying them—especially across services like Elastic Load Balancing (ELB), CloudFront, and API Gateway.

Active Directory Certificate Services (ADCS)

Active Directory Certificate Services (ADCS) is a Windows Server role developed by Microsoft that provides a customizable Public Key Infrastructure (PKI) for issuing and managing digital certificates. ADCS enables organizations to create and manage their own certificate authority (CA) hierarchy for use within their enterprise network.

Although ADCS is primarily an on premise CA solution it is included here for completeness as a CA with a large deployment footprint.

Download the Feature Comparison Matrix

Multi-Environment Certificate Management Capability Matrix

 Key Observations

• Jellyfish fills a major gap in cross-platform certificate management — none of the native cloud tools can manage external certs across environments.
• SecureSME  builds on Jellyfish’s authority to enforce trust, access, and identity rules in customer-facing or federated environments.
• • • Microsoft Cloud PKI reduces AD CS, NDES, and Intune connector overhead for Intune-managed device certificates, but remains endpoint-focused.
    • Native cloud tools, including Microsoft Cloud PKI, are optimized for their own management planes; Jellyfish is broader where central policy, audit, and lifecycle management must span clouds, on-premise environments, and secure enclaves.
• Tools like AWS ACM, Azure Key Vault, Microsoft Cloud PKI, and GCP Certificate Manager are optimized primarily for their own clouds or management planes.
• AD CS remains flexible on-prem, but lacks automation and cloud awareness.

How Jellyfish and SecureSME Stand Out

Jellyfish

• Purpose-Built for Hybrid Environments: Integrates with cloud-native CAs (Azure, AWS, GCP), on-prem AD CS, and third-party PKIs.
• Certificate Lifecycle Management: Full automation for issuance, renewal, revocation, suspension, with policy enforcement.
• API & UI Driven: Rich REST API and role-based web interface.

Key Features:

o   Federation-ready

o   SCIM and SAML support

o   Certificate profiling and templating

o   Detailed logging and audit for compliance

o   HSM-backed key storage (FIPS 140-2)

o   Multi-tenancy with delegated administration

SecureSME

• Designed for Externalization: Provides secure, certificate-backed access control to customer environments and services.
• Supports Federated Identity: Works with Azure AD, Entra ID, and third-party IdPs. Offers SAML, OpenID Connect, and certificate-based login.
• Built-In Certificate Trust Chains: Validates external and internal certificates, supports CRLs and OCSP.
• Security Features:
• • TLS mutual auth for APIs and service endpoints
  • Certificate-based non-repudiation for transactions
  • Audit integration with SIEM
  • Managed session controls and MFA

When to use Jellyfish, SecureSME

Summary

Microsoft Cloud PKI is a useful managed option for Intune-managed device certificate issuance, particularly where an organisation wants to reduce AD CS, NDES, and connector dependencies. However, only a few platforms — notably Jellyfish and SecureSME  — offer complete multi-cloud and on-premise certificate lifecycle management with the flexibility, compliance, and control required in regulated or hybrid environments. They are especially suitable where:

• You need central control but operate across multiple clouds and datacentres.
• Compliance (e.g., ISM, IRAP, DISP) mandates strict visibility and audit of certificates.
• Certificate-based non-repudiation, federation, or mTLS is critical.
• You require orchestration of certificate lifecycle, trust enforcement, and audit across multiple environments.

Download our factsheet here.