For many years, users have been asking for an Azure based PKI that can issue SCEP certificates for Intune. Today we are happy to announce that our Azure based CA can now issue SCEP certificates for Intune.
With this integration, organizations can now use passwordless authentication for their Virtual Private Network (VPN), network infrastructure, and more, without the need for a large on-premises infrastructure. This includes eliminating the need for domain controllers, certificate authorities, hardware security modules (HSMs), certificate revocation list (CRL) servers, and SCEP servers.
By leveraging Keytos’s Azure-based PKI solution, organizations can now easily and securely issue and manage SCEP certificates for Intune, without the need for a large team to maintain and manage their infrastructure. This aligns with Keytos and Microsoft’s shared vision of allowing organizations to go fully passwordless in a cloud-only environment, democratizing cybersecurity by lowering the barriers of entry and enabling organizations to have a secure and compliant infrastructure without the need for a large team to maintain it.
Before we get started we must understand what is Simple Certificate Enrollment Protocol (SCEP). SCEP is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.
EZCA completely replaces your on premises ADCS CA by allowing you to achieve all the functions that your legacy CA did, without needing to worry about the maintenance and upkeep that it takes to run a highly available PKI. In addition to Intune SCEP certificates, EZCA can issue the following certificate types:
One of the key components of passwordless authentication and any modern IT stack is Windows Hello for Business. It gives users a convenient passwordless way to authenticate to corporate resources. EZCA creates the domain controller certificates required for Hybrid Key Trust Hello For Business deployment.
When EZCA was created, the main goal was to help organizations automate the issuance of SSL certificates for all scenarios. We do this via Azure Integrations in addition to enabling other modern certificate issuance methods such as local ACME enabling your engineers to use the tools they are familiar with for certificate lifecycle automation.
If you are looking at issuing SCEP certificates to intune devices, you are also probably looking at other passwordless authentication methods such as Smart Cards, authentication with Azure CBA, and perhaps even FIDO2 keys. EZCA connects to EZCMS, the first fully passwordless authentication onboarding tool for Azure.
We bet you are as excited as we are for this new integration, so we wanted to share with you the necessary steps to get your Intune SCEP certificate distribution up and running:
1) Register the Keytos Application in your Tenant & Register the EZCA Intune Application in your Tenant This will allow EZCA to authenticate your users and check the certificate request status in Intune to issue certificates to your Intune Managed devices.
2) Create your EZCA Instance In Azure.
3) Once you have your EZCA instance you are ready to create your Intune CA.
4) Finally create your Intune device profiles and start issuing secure certificates to your user’s devices.
At the heart of any reliable identity management system lies security and compliance. That’s why we take these pillars seriously. While it may be easy to set up and connect EZCA to Intune, you can rest assured that we take the necessary steps to secure our infrastructure and meet and exceed worldwide regulatory compliance standards. With EZCA, you can trust that your Azure PKI is being run as a world class PKI with the highest level of security and compliance.
While in this blog we only talk about the new Intune integration, EZCA also offers other features that make it the best PKI solution for Azure customers such as: Our Automatic Azure Application Certificate rotation with Key vault, Azure IoT (Internet of Things) one click integration, ADCS CA management, and local ACME integration.
Our main goal at Keytos is to help organizations go fully passwordless, while we just saw how EZCA can help you by issuing SCEP certificates for your devices with Intune, one of the biggest hurdles for passwordless authentication is user onboarding. Learn how EZSmartCard can work with EZCA to help organizations go fully passwordless
If you would like to learn more or talk to a PKI expert about setting up your own Intune CA, you can Talk to a PKI expert for FREE. We are here to help you on your passwordless journey, and ensure that your PKI is set up properly and securely.