Secure your corporate mail easily and effortlessly

Feb 1, 2022 | Jindřich Zechmeister

Secure your corporate mail easily and effortlessly. We are introducing KeyTalk, a certificate management server that allows you to automate your entire corporate PKI. Issuing personal S/MIME certificates and distributing them to clients is just one of many use cases that KeyTalk can do. In the form of the Secure Email Service and its hosted variants, it focuses on mail security.

Why do I need an S/MIME certificate and mail security?

Before we dive into the features of the innovative KeyTalk product, let me briefly recapitulate the importance of personal certificates for mail security.

Personal S/MIME certificates allow you to use digital signatures and mail encryption. The purpose of using a digital signature is to prove that the message was not changed after it was sent.

Mail encryption has a clear goal - to secure the message from strangers so that only the sender and recipient can read it. To encrypt a message, both communicating parties must have an S/MIME certificate and must exchange at least one signed message. If you ask why, it is because public keys are exchanged in their email clients. If you want to encrypt the message, the email client needs the recipient's public key. The recipient decrypts the encrypted message with his private key.

What KeyTalk can do

KeyTalk is a universal helper and allows you to secure your entire corporate PKI (including the webserver), but emphasizes mail and S/MIME certificates. Therefore, its name contains the abbreviation CKMS, which means Certificate Key Management System. It can really manage any certificates and keys. However, KeyTalk is not only their secure storage, but its main strength is in integrating other technologies and automation.

Judge for yourself what technologies KeyTalk can use:

  • It obtains user data from the LDAP / Active directory, and also cooperates with Azure AD
  • It can also use MySQL as a data storage
  • It communicates with certification authorities via REST API
  • It communicates with HSM
  • RADIUS protocol
  • Deploy agent is available for all operating systems and platforms

For certificate issuance, KeyTalk connects to the certification authority API (we provide it) and everything can work automatically. Certificates reach endpoints, which can be PCs, laptops, phones and tablets, thanks to KeyTalk agents - small applications that provide communication with the KeyTalk server, and store and set up the certificate on the device (for example, for use in Outlook).

Princip fungování KeyTalk CKMS
The principle of operation of KeyTalk CKMS

Choosing the right product is key

As a first step, consider whether you want to use KeyTalk as a server and manage it yourself, or as a service which you do not need to manage. Both versions are possible and have their justification.

KeyTalk CKMS can be obtained as a virtual image by default. You can run it either on a virtual server directly in your company or in your cloud. The manufacturer has prepared an image for Azure, AWS and VMware. It is easy and requires minimal knowledge.

The opposite of the managed version is service. KeyTalk Secure Email Service and Hosted Secure Email Service are services designed to make it easier for users to use the product. They focus on securing mail using S/MIME certificates. The difference between SES and HSES is that you use SES again on your own server, but HSES is provided as a service on the manufacturer's server.

The on-premise KeyTalk version offers you 100% control over the server and is intended for companies that use the cloud and have the capacity to administer the server. Cloud variants focus on mail and try to simplify use as much as possible. Not only do you secure your mail effortlessly, but you do not even have to worry about running and managing the server!

However, for meaningful functionality, you need a license and the S/MIME certificates themselves. You will get a license for CKMS separately. SES already includes a server license, so you do not need to worry about it. HSES is a fully hosted service, so licensing and administration is simplified as much as possible; the annual user fee already includes all costs.


Contact us for exact pricing and we will price KeyTalk for you immediately. However, it is good to think about the following information that we will need:

  • Do you want to take care of the server operation yourself?
  • How many users do you want to secure? This determines the number of S/MIME certificates.
  • Do you want to secure your mail internally or for communication with the outside world? If only internally, you can use "untrusted" certificates issued directly by the KeyTalk server. Otherwise, you need DigiCert certificates.

The decision is then entirely up to you. The costs of running an on-premise CKMS variant and (hosted) service are more or less the same, so focus on which variant is more comfortable for you. The hosted variant has the advantage that you do not have to run the server on your own. You will save money on server operation or cloud traffic. You do not even need an administrator.

Licenses and API connections

As soon as we fine-tune the price offer and accept it, you will get an invoice from us. Once you have paid it, we will immediately send you a license for the server (or service). Of course, the price offers are non-binding and serve only to help you with your decision.

Upload this received license to the KeyTalk server and it will come to life. You will see the number of licenses you can use.

If you want to use a certificate from DigiCert, we will have your company verified; it usually takes 1-2 business days. Then we will supply you with an API key for DigiCert and KeyTalk can issue certificates with DigiCert itself! However, you pay for them with us.

You can start issuing!

Obtaining a license based on a price offer and connecting to DigiCert can be done within 2-3 working days. Then you can start issuing certificates.

The principle of obtaining a certificate is easy with KeyTalk - on each PC or device where the certificate is to be placed, you run the KeyTalk Agent. It connects to the KeyTalk server, obtains a certificate, and sets it to the certificate store on the given station. You can even set the S/MIME certificate as the default certificate for signing in on Outlook, so neither the user nor you have to do anything.

With Group Policy, you can perform a silent installation of agents on Windows along with the configuration file. You can automate the work and the PC user does neither know nor have to confirm anything.

We are a KeyTalk partner and will be happy to advise you on a non-binding basis

We will be happy to advise you on which product is suitable for you and your purpose of use. We will advise you without obligation and you do not have to worry about asking. We will also be happy to explain the licensing and costs of KeyTalk to you transparently.

We will arrange everything for you directly at the manufacturer. KeyTalk sells services exclusively through partners such as SSLmarket; they cannot be bought directly. We also arrange KeyTalk support for you, so we will definitely not refer you to the manufacturer with whom you would have to communicate in a foreign language!