Contact Us

How to Onboard PIVKey Smart Card Certificates for Azure CBA and AD Smart Card Authentication

How to create PIVKey certificates for Azure CBA (Certificate Based Authentication) and AD Smart Card Authentication
11 Sep 2023

SmartCard Support Added to EZCMS - The Leading Passwordless Onboarding Solution for Azure

While you have been able to use YubiKeys for FIDO2 and Azure CBA with EZCMS for over a year, we have heard your feedback, and we are happy to announce that now you can onboard both PIVKey smartcards and Taglio smartcards to Azure CBA or for use of AD (Active Directory) Authentication with EZCMS. This allows you to use the same card for physical access as well as for passwordless authentication.

How To Onboard PIVKey Smartcards to Azure CBA

The first step is to enable Azure CBA, for this we will use our Azure based Certificate Authority EZCA since it makes it easier and faster, but if you already have an ADCS (Active Directory Certificate Services) CA and want to use that, you can connect your EZCMS instance to ADCS

How to Setup Azure CBA in Azure

Below you can see a quick video on how to set up Azure CBA in Azure, but if you prefer written documentation, you must follow these steps:
1) Create your root Certificate Authority
2) Create your EZCMS instance
3) Create your smartcard Certificate Authority
4) Add the Certificates to Azure CBA
5) Enable PIVKey as a smartcard provider in settings
6) Register your tenant in EZCMS and add the CA we created before.
7) Once your tenant is connected, set yourself as an HR administrator and add yourself to the HR database

Once we have set up Azure CBA, we are ready to issue smartcards and start our passwordless authentication journey!

Create a Certificate for PIVKey Smartcards

Now that we have set up EZCMS and Azure CBA, we can assign your first Taglio smartcard. First, go to the portal and request a PIVKey smartcard. Then, using the EZCMS client with your administrator account, assign the smartcard to yourself.

Issue the Smartcard Certificate

Now we can issue the smartcard certificate! First, make sure you have downloaded and installed the PIVKey administrator tools in the machine that will be used to create the smartcard. Once that is installed, you can request your certificate either by scanning your government ID (premium plan only) or using an existing AAD identity.

Smartcard Limitations

As you see, the integration of PIVKey is very smooth and it takes a few minutes to get setup. If you want help setting it up, we can setup a free deployment call where an engineer from our team will join and get you all setup in less than 30 minutes. But, since smartcards are an older technology, some of the amazing features we have with YubiKeys will be lost.

  1. - First, there is no reset card, meaning that once the card is assigned it cannot be factory reset and assigned to other users. (This is usually fine since cards are usually printed with the user information and are made for one user use).

  2. - These smart cards do not support FIDO2 authentication; while this is not necessary for passwordless authentication, it is still a nice thing to have.

  3. - Windows onboarding only. Due to our dependency on PIVKey’s admin tools, the onboarding process must be done in a Windows machine. Once the smartcard is created, it can be used in Linux and MacOS.

  4. - Only one smartcard can be assigned per user.

  5. - There is not bring your own smartcard support; all smartcards must be assigned to a user before issuance.

  6. - Mitigation for KB5014754 is only supported with EZCA CAs (not with ADCS).

Distribution and Smartcard Printing

We understand that one of the hardest parts of moving to Smartcard authentication is the printing and distribution of the smartcards; this is why our software has an integrated ticketing system that allows your team to assign and ship smartcards as users request them. However, we understand that you might be too busy for that, or do not want to buy a fancy printer; if that is the case, feel free to schedule a demo and ask us about our managed smartcard distribution service.

You Might Also Want to Read