IoT devices require a new breed of certificate management solutions. EZCA represents a significant step forward, offering a purpose-built tool that addresses the needs of modern security practitioners.
EAP-TLS Wi-Fi CBA is widely recognized as the most secure method for network authentication in WPA2 and WPA3 Enterprise Wi-Fi environments, especially when compared to the traditional, password-based Wi-Fi authentication methods. This is due to several key advantages.
The easiest way to create user or device certificate it is with an MDM such as Intune. But what if you have non-MDM managed devices? Learn how to create certificates for non-MDM managed devices with a self-service portal.
Explore PKI best practices, from setting up a two-tier CA hierarchy to utilizing HSMs and OCSP. Discover easy certificate distribution and management with cloud-based solutions.
Learn how to avoid outages by automatically rotating your private SSL certificates in Azure Key Vault with EZCA and the automatic Azure Key Vault and AAD Application Rotation.
In the quest to safeguard your organization's WPA2-Enterprise network, the arsenal of protocols at your disposal is vast. Yet, among these, the Extensible Authentication Protocols (EAP) emerge as the preeminent choice for a substantial number of enterprises. Let’s delve into an examination of the two most prevalently employed EAP protocols, aiming to highlight the merits of each and thereby assist you in making an informed selection most befitting your organizational needs.
Are you wondering what PKI authentication is and how it works? In this blog, we'll run through what PKI authentication is and how it works, as well as the benefits and drawbacks of PKI authentication.
SSH certificates are an evolution of traditional SSH keys. Instead of using individual keys for authentication learn how to set up an SSH Certificate Authority in Azure.
CT logs is the secret tool that helps you detect and mitigate security incidents related to certificate issuance. Learn more about how to monitor CT logs and why it's important.
In this blog we look at the options for deploying a private cloud certificate authority in Azure. We also discuss the pros and cons of Microsoft's Cloud PKI solution and the best alternative to it.
Discover the importance of certificate-based authentication for Azure IoT Hub and the benefits of cloud PKI for seamless IoT device security. Learn how automatic certificate rotation and a managed Certificate Authority streamline device management and enhance security.
Explore the vital role of SSL/TLS certificates and SSL monitoring in preventing man-in-the-middle (MITM) attacks, safeguarding online transactions, and protecting organizational security. Learn how these measures encrypt communications, authenticate server identities, and ensure data integrity, establishing a secure and trusted connection.
With the move to the cloud, people are looking for ADCS alternatives in Azure. In this article, we will show you how to set up a Cloud PKI with Azure Key Vault or dedicated HSM.
You probably saw the new Microsoft Intune PKI announcement and like most people were shocked by the price and lack of features. Int this page we talk about what are the best alternatives to Microsoft Intune PKI?
In today’s fast-paced digital age, securing wireless networks is critically important. The implementation of Wi-Fi certificate authentication stands out as an essential method that enhances network security and user accessibility.
SCEP works alongside ManageEngine, a cloud-based solution for endpoint management, to help with the distribution and management of digital certificates managed by ManageEngine. But, how? This blog aims to answer that age-old question!
While Remote Desktop Protocol (RDP) is a convenient and efficient way to access remote systems, if it is not properly administered, it can be vulnerable to some attacks such as Man-In-The-Middle attacks caused by using the Trust on First Use (TOFU) model. In this blog post, we will discuss why RDP TOFU is a bad security model and why organizations should use SSL certificates instead.
Simply put, SCEP is a protocol used to automate the issuance and management of certificates within a Public Key Infrastructure (PKI) environment. But how does it work, and why should you and your organization care? Read on to find out everything you should know about what SCEP is.
SSL monitoring, also referred to as SSL certificate monitoring, is the ongoing process of checking and validating SSL certificates and their configurations on websites and services. But why is SSL monitoring important? Click here to find out!
ManageEngine provides the capability to authenticate devices using SCEP certificates, offering a robust method for device security and facilitating passwordless device access. Getting these certificates, though, can be somewhat challenging. This blog will guide you through obtaining SSL certificates for ManageEngine managed devices.
Stolen subdomains are a hot commodity in the black market; CAA records can help you protect your organization from this scary vulnerability by limiting SSL Certificate issuance to your organization only. Learn more on how to set it up with this blog!
Recently, Microsoft finally announced the release date for the Microsoft Cloud PKI! While this news seems exciting and game-changing on the surface, a deeper dive reveals quite a few flaws with this long-awaited service. In this blog, we will go through the pros and cons of Microsoft Cloud PKI to help you decide whether or not it’s worth it.
A question that we've been hearing more frequently is, "Can I use IoT device certificates to authenticate in Azure?" The TL;DR here is yes, you absolutely can! This blog will show you how.
Setting up a cloud PKI for Azure IoT has never been easier than it is now, thanks in part to innovative third-party PKI tools like EZCA! A quick glance at some of the benefits associated with implementing the cloud makes it very clear as to why so many organizations are migrating to the gold-standard in device security. From enhanced security via encryption, to scalability, to automation, all the way through to adherence to industry-specific compliance standards, anyone that's serious about IoT device security is taking proactive measures to get their cloud PKI set up with haste. In this blog, we're going to take a look at how to authenticate with certificates into Azure IoT Hub.
Did you know that Microsoft finally announced their plan to launch a Cloud PKI? Anyone with their "ear-to-the-ground" within the Azure Security community will tell you, they've been looking forward to this announcement for longer than they'd like to admit. Frankly, it's very surprising that this is the first time that Microsoft has decided to wade into the waters of cloud public key infrastructure. So, you'd think that the community would be incredibly enthusiastic about the announcement, right? Turns out, not so much. Check out this blog to learn more about Microsoft's Cloud PKI solution and the pros and cons associated with it!
Have you been assigned to create User Certificates with Intune but don't know where to start? We feel your pain. Luckily, you've come to the right place! In this post, we will go over what you need and how to get it set up.
EZCA, a trusted ManageEngine CA partner, offers a secure, cloud-based certificate authority setup for ManageEngine SCEP. This integration with ManageEngine allows for efficient certificate distribution, utilizing strong cloud infrastructure. EZCA offers a scalable and reliable certificate authority service, specifically designed for today’s business environments. With EZCA, organizations can enhance the security of their mobile and endpoint devices, taking advantage of ManageEngine’s advanced cloud technologies. This partnership between ManageEngine and EZCA marks a significant advancement in organizational security. Read here about how EZCA is the best ManageEngine SCEP CA for your organization!
Before choosing a third-party CA to integrate with ManageEngine, it’s important to first evaluate your organization’s specific goals and requirements. This involves identifying the types of devices and platforms that require support, the variety of certificates you plan to use, considerations for scalability and security, and any other aspects unique to your situation. Understanding your needs thoroughly makes it much easier to match them with the offerings and capabilities of potential CAs. Click here to learn about how to choose the right ManageEngine CA for device management!
SSL certificates play a crucial role in securing network traffic and validating the identities of devices and applications across your organization; however, as the number of certificates an organization needs to manage increases, so does the complexity of managing them. SSL automation is a major part of our recommended PKI and SSL certificate management best practices. But what makes certificate automation so important? Click here to find out!
Why should you use certificate-based authentication (CBA)? How does CBA work? What is the flow to create certificates for IoT devices? And, above all else, how do you set up Azure IoT Hub CBA? In this blog, we answer all of these questions and more!
We love Microsoft, but let’s be real for a second - they don’t always deliver on their promises. For example, if you decided to listen to Microsoft from years ago and wait for them to release their CA for Intune, you would have to pray that scientists discover time travel so you can skip ahead 100 years to get it – and even then you’d be rolling the dice on it actually being ready to release. In the meantime, Microsoft recommends that organizations seeking an Intune CA use EZCA, the first cloud-based CA solution for Azure ever created, citing EZCA by Keytos as one of their approved third-party CA partners, a glowing endorsement. So now you’re probably wondering, "that’s great and all, but where can I learn how to set up an Intune CA with EZCA?" You’re in the right place! Let’s jump in, shall we?
Microsoft CA has been the go-to certificate authority for 20+ years; while it may be reliable and trustworthy due to its age, it simply does not meet the cloud requirements that organizations have today. With EZCA, you can modernize your existing Microsoft CA PKI by extending it and adding modern protocols. Click here to learn more.
Azure PKI is a cloud-based Certificate Authority specially designed for Microsoft’s cloud platform, Azure. Its primary function is to facilitate the creation and management of digital certificates tailor-made for applications residing in the cloud. EZCA, our Azure PKI, does this through some really cool integrations like Azure IoT, Azure Key Vault, automatic AAD Application certificate rotation, and Sentinel. But what exactly can Azure PKI do for you? Click here to find out!
PKI is a combination of hardware, software, policies, and standards that work together to provide a comprehensive framework for secure communications in the digital world. The general consensus in the cybersecurity world is that PKI is hard – here at Keytos, we beg to differ. PKI is actually easy! In this blog, we'll run through what PKI is and the best way for you to get started with it.
In the world of network security and certificate management, two prominent technologies often come to the forefront: Microsoft Network Device Enrollment Service (NDES) and Simple Certificate Enrollment Protocol (SCEP). Although these technologies are interconnected, they serve distinct roles within the digital landscape. Let's take a deeper dive into what each technology is and how they work hand-in-hand.
In a Two-Tier PKI Hierarchy, which is the recommended structure employed in certificate management, two main types of certificate authorities (CAs) emerge: the root CA and the subordinate CA, also known as the issuing CA. While the root CA is the primary trust anchor and sits at the pinnacle of this hierarchy, the subordinate CA plays a more nuanced and specific role. In this blog, we will explore what exactly the role of the subordinate CA is.
A root certificate authority, often referred to as the foundation of trust in your PKI system, is pivotal for authenticating a certificate chain. For this chain to be trusted, the root certificate must be embedded into the operating system's trusted root store. Check out this blog for an in-depth look at root CAs!
Compromised subdomains are becoming increasingly valuable amongst hackers and other cyber criminals in the darker corners of the internet. How can you best protect your SSL certificates from being compromised? CAA Records. Check out this blog to learn how this straightforward solution proves to be a potent defense mechanism, emphasizing its potential to be a significant deterrent against future phishing threats.
With the growth of certificate-based authentication, many organizations have found Shadow IT CAs run by engineers that needed certificates and did not use the company-approved private CA. These are usually not created with malicious intent, but instead, an engineer realizes that they need a certificate authority to create certificates for their authentication (either to their application, to a cloud service, or something else). Since they do not know who to talk to or if the organization has an internal Certificate Authority for this use case, they go ahead and create a certificate authority on their own. This is a major risk for you since certificate authorities – if not configured properly – can become huge vulnerabilities for your organization. Check out this blog to learn about the best way to detect and combat shadow IT certificate authorities.
A crucial security measure for organizations interacting with customers is safeguarding the data exchanged between both entities against external threats. If data integrity is compromised, it erodes the trust of customers or data recipients as their information becomes vulnerable. Leveraging SSL and TLS certificates ensures over-the-air data remains secure. In this blog, we will aim to clarify the mystique surrounding the difference between SSL and TLS certificates – if there is any.
As more and more systems are being moved from on-premises to the cloud, more people are considering how to move certificate authorities to Azure. Browsing through Microsoft forums from even years ago, we can see that people want such things as a new PKI that connects to Intune and Azure Key Vault and having Key Vault act as a KSP to run certificate authorities in the cloud. In this blog, we will run through some alternatives to run CAs in the cloud in order to best help your organization modernize its PKI.
For the longest time now, the tech community been patiently waiting for our buddies at Microsoft to FINALLY build at Cloud PKI for Intune. But as the universe would have it, this vision didn't materialize. Shocking, I know. Luckily for us, Microsoft has graciously decided to shine its spotlight onto EZCA by Keytos — a revolutionary cloud-based PKI tailored for Intune. Built by ex-Microsoft Cloud PKI Engineers, EZCA is clearly the best option for organizations looking to button-up their security best practices around Intune certificates. If you're eager to upgrade your Intune PKI, keep on reading.
You can now use the popular PKI protocol ACME to manage your ADCS (Active Directory Certificate Services) internal certificates with Keytos' EZCA. Allowing you to use your same certificate automation tools you use for your external certificates for your internal certificates.
If we’re being honest, Google has been bullying the internet into decisions for the better part of two decades (like Certificate Transparency Logs). Most recently, they announced that they’re mandating that all certificates need to be to be rotated every 90 days. This new policy has significant ramifications for identity engineers, and in this article, we will take a look into the implications of this mandate for everyday security practitioners.
Private PKI is basically an amalgamation of mechanisms using public key cryptography to verify the authenticity of users and devices. This infrastructure utilizes digital certificates, certificate authorities (CAs), and certificate revocation lists (CRLs) to remain operational. But not all PKIs are equal... This is where you’ll observe the differentiation and clear distinction between public PKIs and their private counterparts. This article will provide a quick outline the intricacies of a private PKI and let you know a little bit more as to why it might be good for your organization.
When moving to the cloud, one of the questions your security team will ask is, "How can I get an HSM (Hardware Security Module) backed Certificate Authority/PKI (Public Key Infrastructure) in Azure?" While there is no Certificate Authority as a service offered by Azure or Key Vault, we are happy to offer EZCA, an Azure based Certificate Authority that leverages Key Vault and Azure Dedicated HSM(s) to create cloud-native Certificate Authorities in Azure.
In today’s world, which is increasingly gravitating towards zero-trust principles, Public Key Infrastructure (PKI) stands as a pillar of trust. Yet, conventional methods of handling PKI often come with their fair share of issues and stumbling blocks, potentially leading to vulnerabilities and operational inefficiencies. However, there is a significant transformation underway - a shift toward automating PKI management. In this article, we'll examine the challenges inherent in traditional PKI management, explore the paradigm shift towards automation, and underline the advantages of adopting this innovative approach, with a particular focus on our tool, EZCA by Keytos, the only truly native Azure PKI.
Odds are you’ve landed here after the long and tedious exercise that is searching the Internet for the best Intune SCEP CA. We know that selecting the right Certificate Authority (CA) to issue Simple Certificate Enrollment Protocol (SCEP) certificates for Intune can be challenging, to say the least! With numerous vendors and factors to consider, how can you really be certain you’re making the right decision? Luckily, we’ve taken the guesswork out of the equation for you! This blog post aims to guide security developers by aligning key selection criteria with the remarkable features of EZCA, the first Azure-native CA designed with Intune SCEP in mind!
Your organization has been running for years without needing an SSL management tool. Did you know that this is actually incredibly costly? Click here to learn all about the costs of not implementing an SSL management tool, as well as the best way to monitor SSL certificates.
Public CAs are recognized third-party entities that satisfy the criteria set by leading certificate stores, including Microsoft, Apple, and Mozilla; due to this, devices’ operating systems inherently trust public CAs. This means that individuals within an entity don’t have to manually register their certificates, as the system already deems them trustworthy. Click here to learn more about public CAs, what they are used for and how to request one!
Private CAs are predominantly employed for internal certificates, ensuring that the certificate doesn’t require external party validation. Typical applications of a private CA encompass internal websites, application, user, and device authentication. Click here to learn more about what a private CA is and why it is used.
Most everyone responsible for managing devices access across their organization using Intune has eventually been stumped by a couple of questions. “What’s the best Certificate Authority for Intune?” and “How am I going to take care of all these dang certificates?” Luckily for you, we’ve created EZCA to help you modernize your PKI in minutes! Read on to find out how EZCA by Keytos can help make MDM painless!
Cyber threats are ever evolving, and organizations constantly seek out streamlined solutions to protect their digital assets. That being said, protocols that automate secure processes are absolutely golden. Enter ACME, or Automated Certificate Management Environment. But the pressing question lingers, is the ACME protocol secure? Let's take a thorough look into ACME, its security features, some common misconceptions, and how it'll keep you secure.
As certificate-based authentication continues to increase, ensuring that these certificates are valid and trustworthy is of extreme importance. Bad actors and threats are becoming increasingly sophisticated, so the way we monitor and validate certificates has needed to be developed to maintain the security of our precious data. In the following, we’ll explore what these protocols are, why they’re so important, how they’re different, and why the contemporary Security Engineer should become familiar.
ACME is an acronym that stands for Automated Certificate Management Environment, and when simplified to an extreme degree, it’s a protocol designed to automate the interaction between certificate authorities (CAs) and users' web servers. How can you use this to further improve your organization's handling of certificates? Read on to find out!
As the need for secure and compliant data transactions (of all sorts) continues to skyrocket, the use of SSL and TLS certificates has become increasingly prevalent. But what happens when certificates expire or don’t get renewed in a timely fashion? In an effort to nip this problem in the bud, ACME protocol was created. In this blog, we'll take a look into the details of ACME to understand how it helps in preventing SSL related outages.
Modern organizations, regardless of size, find themselves in an ongoing battle to safeguard their precious data from prying eyes and malicious actors. Central to this is PKI. When it comes to deploying PKI, organizations stand at a crossroad - should they tread the challenging path of manual, in-house certificate management or opt for the streamlined and efficient route provided by 3rd party tools? As we delve deeper into the world of PKI in this blog, you'll discover why choosing the latter could be the game-changer your organization needs.
OCSP stands for “Online Certificate Status Protocol.” As its name suggests, it’s a protocol specifically designed to check the revocation status of individual digital certificates. But how does it work and, more importantly, how does it impact your organization? Read our tell-all piece on OCSP to find out!
You’ve probably seen us mention X.509 certificates many times in different blogs and pages on our site, but what exactly are they? What makes a certificate an X.509 certificate? Is an X.509 certificate any different from an SSL certificate?
Automating SSL Certificate Management removes the inevitable human error associated with almost every SSL outage. Keep reading, follow these steps, and you’ll significantly reduce the likelihood of any SSL certificate outages in the future.
HSMs provide a dedicated, secure, and tamper-resistant environment for managing cryptographic keys, performing encryption and decryption operations, and automating key lifecycle management. In this article, we will delve into the fundamentals of HSMs, why they are crucial in modern cybersecurity, their relevance within the context of existing solutions, and how various industries leverage them.
CAA stands for Certificate Authority Authorization (try saying that five times fast), but don't let that mouthful throw you off. In this blog, we go over the fundamentals of what a CAA is and why a CAA is so important in your PKI journey.
In the digital world, the security of communications, especially online transactions, is incredibly important. A significant aspect of this security revolves around digital certificates; like all things digital, however, certificates can sometimes become compromised. This is where a Certificate Revocation List (CRL) becomes essential. In this blog, we'll delve deep into the concept of a CRL, its significance, its working mechanism, and even touch upon creating one.
With the move to the cloud, people are looking for ADCS alternatives in Azure. In this article, we will show you how to set up a PKIaaS Azure Certificate Authority with Azure Key Vault or dedicated HSM.
Client certificate authentication is one of the most secure ways for customers to authenticate into your APIs. In this blog, we will show you how to set up client certificate authentication with automatic certificate rotation in Azure API Management Service.
With the ability to issue SCEP certificates for Intune, organizations can now use passwordless authentication for their VPN, network infrastructure and more, all without the need for a large on-premises infrastructure, thus eliminating the need for domain controllers, certificate authorities, hardware security modules (HSMs), certificate revocation list (CRL) servers, and SCEP servers. Check out our blog on how Intune works with SCEP to learn more about the basics behind this.
Microsoft said for years that they would create and offer a PKI for Intune; unfortunately, they could not do it. Instead, Microsoft recommends that organizations use EZCA to set up an Intune PKI. Read on to learn exactly what you need to do to set up an Intune PKI with EZCA.
CT logs play a crucial role in detecting and mitigating security incidents related to certificate issuance, benefiting both end-users and organizations relying on secure communication. But what exactly are they, and why should you take note of them?
The world of CA hierarchy and design is a complex one – but it doesn’t have to be. The implementation of proper certificate authority hierarchy and design is key to secure communication across your organization.
SCEP (Simple Certificate Enrollment Protocol) can be used in conjunction with Microsoft Intune, a cloud-based endpoint management solution, to facilitate the deployment and management of digital certificates on devices managed by Intune. But how does Intune work with SCEP? Read on to find out.
Root certificate authorities and issuing/subordinate certificate authorities are vital to CA design, particularly in a Two-Tier Hierarchy. So, what are they and what makes them so important?
PKI is based on trust - clients must be able to trust the root CA in order to build a chain of trust and accept a certificate. Not only is trust the key to PKI, but it is also the key to understanding public vs private certificate authorities.
With the move to the cloud, the days of manually managing SSL certificates are gone. Now, Most organizations are moving to the ACME protocol. An easy to use protocol that automatically renews your SSL certificates preventing costly outages while freeing your engineers time to focus on other critical tasks.
As with many security tools, the origin of certificate transparency logs can be traced back to a cyberattack. The attack that can be credited with the creation of CT Logs is the 2011 DigiNotar attack. Now, Certificate Transparency logs enable organizations to have full visibility to all certificates issued for their domains.
With the exponential growth of online services, it has become impossible to manually rotate application certificates. Learn how you can automate your AAD Application certificate rotation with the new automatic Azure AD certificate rotation from EZCA.
ADCS has been the go to Certificate Authority for over two decades, while it is secure and reliable, it does not meet the cloud needs that organizations now have. EZCA enables you to modernize your existing ADCS PKI by extending it and adding modern protocols such as REST API, Azure Key Vault integration, Azure IoT integration, and ACME.
The number of deployed IoT Devices is growing exponentially, and so are the cyber-attacks geared against IoT. The first large scale IoT device attack was Mirai botnet bringing down a large part of the internet. How did the attacker gain control over thousands of IoT devices? It was simply a hard coded credential that gained them access into the device's Operating System.
