Azure Native Certificate Authority: Private CA for Entra ID & Intune
Replace Your On-Premises CA
and Go Fully Cloud-Native with EZCA
Deploy a managed private CA in minutes—no servers, no ADCS connectors, no on-prem PKI infrastructure required.
- No servers to deploy, patch, or maintain fully managed SaaS via Azure Marketplace
- Native Entra ID and Intune integration with SCEP certificate issuance
- Automatic certificate lifecycle management and rotation
- Supports SCEP, ACME, EST, and REST API for any workload
- Azure Key Vault integration for automated certificate creation
- SOC 2 Type II & ISO 27001 certified infrastructure
Azure-Native Integrations for Your Private Certificate Authority
EZCA is the best CA for Azure customers. This Azure PKI allows you to run and scale your own highly available private CA service without the upfront investment and ongoing maintenance costs of operating a private CA or private CA hierarchy. Whether you are creating a new private PKI hierarchy or chaining up to your existing Root CA, EZCA will help you create a secure and cloud-scale Azure based Certificate Authority that meets and exceeds industry standards.
One of the main reasons many Azure customers chose EZCA as their Azure Certificate Authority is because of its native integrations with Azure services, making it easy for you to create your PKIaaS in Azure and set it and forget. EZCA will then take care of all the certificate management operations, from running a world class CA, to more tedious tasks such as keeping track of certificates and automatically rotating them.
How To Create a Cloud Based CA in the Azure Marketplace
The first step for getting started with EZCA, is creating your PKI subscription in Azure. With our Azure marketplace listing, you can create your cloud CA in minutes, and while it is deployed in Azure, it is a SaaS solution meaning that no infrastructure is deployed in your tenant.
Intune SCEP Certificate Authority Connection
Intune enables you to manage your organization's devices without the need to have an on-premises domain. Now with EZCA you can easily create an Azure based certificate authority for Intune and issue SCEP certificates without the overhead of managing an ADCS (Active Directory Certificate Services) and Intune SCEP connector instance.
Schedule a Free Demo Start Free Trial
Automatic SSL Certificate Rotation With Azure Key Vault Integration
While EZCA offers many automatic certificate issuance protocols such as SCEP and ACME (Automated Certificate Management Environment) one of the most used features is our one-click Azure Key Vault certificate creation and management integration. This integration enables users to securely create and manage certificates following Azure best practices with an HSM (Hardware Security Module) backed Azure Key Vault. This integration fully automates certificate issuance in Azure.
Automatic Entra ID Application Certificate Rotation
With the exponential growth of cloud services, the identities that protect those services have also exponentially grown, making it impossible for humans to securely manage the identities for those cloud services. To help organizations automate their certificate rotation we are proud to say EZCA is the only PKIaaS that offers automatic Entra ID Application Certificate Rotation.
The Best Certificate Authority for Azure IoT
With IoT's gaining popularity, it has become a must have for many businesses, but as any emerging technology, IoT has been also grabbed the attention of hackers. Most IoT attacks from small attacks directed to specific companies, to large scale attacks such as the attack on DNS infrastructure by the Mirai Botnet, have a weak identity story to manage the IoT devices in common. To make it easier for organizations to get up and running with Azure IoT Hub certificate authentication we have created a guide on IoT identity security best practices and created a one-click integration with Azure IoT that allows you to easily create your Azure based CA and connect it with Azure. We have also created Azure IoT Authentication code samples connected to our Azure IoT certificate authority that enable you to have a working prototype in days instead of months.
Monitor Your Certificate Authority with our Sentinel Integration
As a Microsoft Security partner, we could not create an Azure based PKI without sending all alerts and logs to Azure Sentinel. All Keytos tools send all security logs to Azure Sentinel allowing you to have a single pane of glass where your SOC team can monitor your infrastructure and detect anomalies.
Cloud PKI Frequently Asked Questions
What is an Azure Certificate Authority?
An Azure Native Certificate Authority (CA) is a cloud-hosted service that issues and manages digital certificates within the Azure ecosystem. EZCA by Keytos is a managed private CA built natively for Azure, integrating with Entra ID, Intune, Key Vault, and IoT Hub to automate certificate lifecycle management without requiring on-premises infrastructure.
How is EZCA different from Active Directory Certificate Services (ADCS)?
Unlike ADCS, EZCA requires no on-premises servers, no NDES/SCEP connector, and no domain controllers. It is a fully managed SaaS solution deployed via the Azure Marketplace that scales automatically, integrates natively with Entra ID and Intune, and handles certificate rotation automatically, eliminating the operational burden of running your own PKI infrastructure.
Does EZCA require any infrastructure?
No. EZCA is a SaaS solution purchased through the Azure Marketplace. No infrastructure is deployed in your tenant. There are no servers to maintain, no connectors to configure, and no on-premises dependencies. You get a production-grade private CA hierarchy running in the cloud from day one.
Can EZCA issue SCEP certificates for Microsoft Intune?
Yes. EZCA works with Microsoft Intune and any other MDM platform that supports SCEP to issue certificates to managed devices without the ADCS NDES connector, supporting Windows, macOS, iOS, and Android devices from a fully cloud-native CA. See the Intune SCEP integration guide for step-by-step instructions.
What certificate protocols does EZCA support?
EZCA supports SCEP, ACME, EST, and REST API-based certificate issuance. It also integrates with Azure Key Vault for automated certificate creation and rotation, making it suitable for web servers, IoT devices, Entra ID applications, and internal services.