Digital Keys and Certificates The Foundation of Industrial Cybersecurity

PKI and key management with the ECOS TrustManagementAppliance®

ECOS TrustManagementAppliance®

Secure identities for IoT, OT and AI

PKI management for IoT, OT and AI – secure identities for a connected future

Millions of devices, sensors and controllers are deployed across IoT and OT environments – and each of them requires a unique, trusted identity. At the same time, AI agents are taking on increasingly autonomous roles and must be authenticated beyond doubt. Only then can Zero Trust principles be applied consistently across connected systems.

The ECOS TrustManagementAppliance® (TMA) provides a powerful, proven and flexible PKI and key management solution for creating, distributing and managing digital certificates and cryptographic keys – the foundation of machine identities.
Optimized for IoT and OT environments, and extendable via the TMA Edge Gateway, it also supports distributed production networks and complex global infrastructures.

Customized
Intuitive
PKI & Key Management made in Germany
Made in Germany

Your benefits at a glance

  • Automated creation, management and distribution of certificates and keys.
  • Certificate lifecycle management – automatic renewal and full lifecycle transparency.
  • Seamless production integration – certificate issuance directly within manufacturing processes, customizable for different environments.
  • Fully scalable – suitable for any product strategy, from pilot runs to millions of devices.
  • Open interfaces and standard protocols – REST API, SCEP, EST, ACME, CMP for smooth integration with existing systems.
  • Compliant and future-ready – supports X.509, symmetric/asymmetric keys, TLS-based communication (MQTT, OPC UA, HTTPS).
  • Crypto-agile architecture – prepared for future cryptographic standards.
  • Flexible deployment – on-premises, cloud, hybrid or edge; supports offline production environments.
  • Trusted identities for AI agents – authenticate autonomous systems, prevent manipulation and enable seamless integration into Zero Trust architectures.
  • Secure digital identities form the foundation of sustainable product, device and industrial cybersecurity strategies.

ECOS TrustManagementAppliance®

Trusted identities for IoT, OT and AI

The ECOS TrustManagementAppliance® creates, distributes and manages digital certificates and cryptographic keys to establish trusted identities for devices, systems and AI agents.
These secure machine identities protect data, processes and autonomous decisions – forming the basis of a secure, scalable and future-proof industrial ecosystem.

The TMA can be operated on-premises, in the cloud or as a service by ECOS.

TMA Edge Gateway

Secure identities for
networked production

  • Secure certificate management directly on the production line
  • Offline capability for secure operation without an internet connection
  • Seamless integration with existing SCADA, MES and ERP systems
  • Ideal for global production networks and contract manufacturers
  • Cybersecurity Made in Germany

What makes the ECOS PKI solution stand out

All-in-one platform
PKI, key and certificate management
from a single source
Automation
Covers all parts of certificate management and distribution
Open interfaces for PKI & key management
Open interfaces
Seamless integration into infrastructures or IoT production environments
Simple PKI & key management
Simple management
Easy configuration and automated certificate distribution
Fully scalable
Grows with your requirements
Optionally highly available
Policy Enforcement
Ensure compliance and consistency across all certificates
Certificate distribution
Various distribution mechanisms and protocol support
Deployable anywhere
On-premises, VM, container or cloud deployment

Knowledge

PKI & key management made easy

Whitepaper: Machine identities in IoT/OT

cat82,cat93,cat37,cat38,cat18,cat72,cat71,cat69
No match found!
Case Study: Techem

Techem

PKI to secure communication of remote metering infrastructure at Techem
 

cat17,cat39,cat52,cat7
Case Study: Stahl AG

R. STAHL AG

The ECOS TrustManagementAppliance is the central public key infrastructure (PKI) at R. STAHL AG

cat17,cat52,cat7
No match found!

A Public Key Infrastructure (PKI) or digital certificate is an electronic document that confirms that a public key belongs to a specific entity, such as a person, organization, or device. It is issued and digitally signed by a Certificate Authority (CA), which plays a central role in a PKI.

A certificate contains important information such as the name of the certificate owner, a serial number, an expiration date, and a public key. It also provides the digital fingerprint of the certificate, which ensures the integrity of the certificate, and the digital signature of the Certification Authority that issued the certificate.

A PKI uses the certificate to enable secure communication and data exchange. Key pairs - a public key and a private key - can be used to encrypt and decrypt messages, create or verify digital signatures, and confirm the authenticity of an entity.

The ECOS TrustManagementAppliance helps manage certificates and secure their use by providing a centralized platform for issuing, managing, and validating digital certificates. It ensures that the keys associated with each certificate are securely stored and used to guarantee the integrity and confidentiality of data transmitted in (I)IoT environments.

cat17,cat10

A PKI, short for Public Key Infrastructure, works by encrypting and signing data. There are several important reasons for this:

Data protection and security: Encryption allows information to be transmitted securely over insecure networks such as the Internet by using a public and a private key to encrypt and decrypt data. Only the private key decrypts the data encrypted with the public key.  This ensures that even if the data is intercepted during transmission, it cannot be read without the private key. This encryption method is also referred to as public key encryption or asymmetric encryption.

Authentication: Certificates ensure that a public key is actually owned by the person or system claiming ownership. They play a central role in validating the identity of a person or system, helping to build trust in digital interactions.

Data integrity: Digital signatures, which are created with a PKI, can be used to verify that data has not been altered during the transmission process und thus ensure their integrity.

Non-repudiation: Signing a certificate confirms beyond doubt that the data belongs to an entity. This is essential for legally binding transactions and other applications where the confirmation of an identity is of critical importance.

cat17,cat10

A Public Key Infrastructure (PKI) is a system of rules, functions, policies, and techniques that work together to create, manage, distribute, and verify digital certificates. These certificates are critical for verifying the identity of people or devices on digital networks and enabling them to communicate in a secure, encrypted manner.

An indispensable element within the PKI is the Certificate Authority (CA), which acts as a trusted authority. The CA is responsible for issuing certificates that validate the assignment of a public key to a specific entity. Each certificate contains details such as the entity's name, public key, expiration date, and other information, along with the CA's digital signature.

The core functions of a PKI include:

  1. Key generation: Each entity generates a pair of cryptographic keys: a public key and a private key. The public key can be freely distributed, while the private key is securely stored and kept secret.
  2. Certificate generation: The entity submits a request to the CA to obtain a certificate for its public key. This request may include identification information.
  3. Certificate issuance: The CA verifies the identity of the requesting entity and issues a certificate containing the entity's public key and identification information. This certificate is digitally signed by the CA.
  4. Certificate distribution: The entity can distribute its certificate along with its public key. Anyone who receives the certificate can verify the digital signature of the CA, and thus determine that the certificate and public key actually originate from the specified entity.
  5. Authentication and encryption: To establish secure communication, the entity sends its certificate and public key to the desired communication partner. The other party uses the public key to encrypt a message that can only be decrypted with the entity's private key. At the same time, the entity can use its private key to create a digital signature that can be verified using the public key, thus enabling authentication.

The ECOS TrustManagementAppliancet is a PKI solution that provides all of these capabilities in an integrated platform to ensure the security of mobile devices, PCs, servers and other devices in (I)IoT environments.

cat17,cat10

PKI management is a complex process that requires careful attention and planning. Here are some important points to keep in mind:

  1. Proper implementation: A PKI should be implemented with care. Implementation errors lead to vulnerabilities that can be exploited by attackers.
  2. Trustworthy Certificate Authority: A reliable Certificate Authority (CA) is critical because it validates the legitimacy of digital certificates.
  3. Private key security: Protecting private keys is of the utmost importance. If private keys are compromised, the security of the entire system is compromised.
  4. Life cycle management: Certificate lifecycles must be carefully managed. This includes their creation, distribution, renewal and revocation. Failure to revoke a certificate can result in an unauthorized party gaining unauthorized access to systems.
  5. Conformance: Ensure that your PKI solution complies with industry standards and best practices.
  6. Automation: The automation of key and certificate management processes helps eliminate human error and can be more efficient.
  7. Audit and monitoring: Regular auditing and monitoring is important to ensure that the PKI is functioning properly and to identify potential security issues early.
cat17,cat10

Certificate management, also known as certificate lifecycle management, is a central aspect of Public Key Infrastructures (PKI). It involves several steps to ensure that certificates are correctly created, distributed, stored, used, and revoked or renewed.

  1. Creation: The certificate creation process begins with the generation of a public and private key pair. The public key is embedded in the certificate, which also contains important information such as the owner's name, validity period, and digital fingerprint.
  2. Issuance: The issuing Certificate Authority (CA) verifies and validates the identity of the requester The certificate is then digitally signed to ensure its integrity and authenticity.
  3. Distribution: Once the certificate is issued and signed, it is distributed to the requester and can be used for identification and encryption. It can also be published in a public directory for others to verify.
  4. Usage: The certificate is used to verify the identity of its holder and to encrypt data. Anyone who has the certificate can use the owner's public key to encrypt data or verify the signature.
  5. Renewal/revocation: Certificates have a limited validity period and must be renewed before they expire. If a certificate is compromised and the private key has become public, it must be revoked to prevent further security breaches.
cat17,cat10
No match found!

Technical information on the Trust Management Appliance

  • Creating, renewing, revoking certificates
  • Certificates, secrets and symmetric keys
  • Key length and signature algorithm fully configurable
  • Metadata are freely definable and assignable
  • Automatic certificate renewal
  • Certificate classification and structuring
  • Automated certificate enrollment (basis via SCEP)
  • Automatable certificate renewal (basis via SCEP)
  • Certificate distribution by LDAP, SCEP, ACME or Windows service
  • Support of Windows/Linux server as well as clients, further terminal devices (esp. Android and iOS via mobile device management)
  • Fueling or creation of certificates on the smartcard
  • Self-service portal for users, helpdesk and administrators
  • Freely configurable workflows e.g.
    • application for certificate renewals
    • approval of certificate requests
    • download and installation of certificates
    • enrollment on smartcards
    • regular helpdesk/admin tasks
  • Certificate validation with CRL oder OCSP
  • Secure storage in hardware security module (HSM) possible
  • Coupling with AD and other metadirectories
  • Control and configurability of all functions via REST API
  • Integration into existing PKI as sub or root CA
  • Cluster operation, also cross-site
  • Multilevel root- and sub-CAs
  • Import interface for public and private certificates
  • SNMP interface for connection of a monitoring system
  • syslog interface for connection of a aggregation tool
  • Virtual appliance for operation with VMware, Microsoft Hyper-V or other virtualization solutions
  • Preconfigured ISO image with ECOS Secure Linux and TMA
  • Support for OTP tokens, software tokens and SMS
  • RADIUS server for authentication via IEEE 802.1X
  • Central administration of tenant-specific root CAs
  • Predefined reports and own report editor
  • Automatic notification system via Active Reports
  • Central web interface
  • Granular rights assignment for admin interface

Get in touch with us!

Our experts are happy to assist you.

Please enter your company email address!

The fields marked with (*) are mandatory and must be filled in.