PKI is a combination of hardware, software, policies, and standards that work together to provide a comprehensive framework for secure communications in the digital world. The general consensus in the cybersecurity world is that PKI is hard - here at Keytos, we beg to differ. PKI is actually easy! In this blog, we'll run through what PKI is and the best way for you to get started with it.
In the world of network security and certificate management, two prominent technologies often come to the forefront: Microsoft Network Device Enrollment Service (NDES) and Simple Certificate Enrollment Protocol (SCEP). Although these technologies are interconnected, they serve distinct roles within the digital landscape. Let's take a deeper dive into what each technology is and how they work hand-in-hand.
In a Two-Tier PKI Hierarchy, which is the recommended structure employed in certificate management, two main types of certificate authorities (CAs) emerge: the root CA and the subordinate CA, also known as the issuing CA. While the root CA is the primary trust anchor and sits at the pinnacle of this hierarchy, the subordinate CA plays a more nuanced and specific role. In this blog, we will explore what exactly the role of the subordinate CA is.
A root certificate authority, often referred to as the foundation of trust in your PKI system, is pivotal for authenticating a certificate chain. For this chain to be trusted, the root certificate must be embedded into the operating system's trusted root store. Check out this blog for an in-depth look at root CAs!
Compromised subdomains are becoming increasingly valuable amongst hackers and other cyber criminals in the darker corners of the internet. How can you best protect your SSL certificates from being compromised? CAA Records. Check out this blog to learn how this straightforward solution proves to be a potent defense mechanism, emphasizing its potential to be a significant deterrent against future phishing threats.
With the growth of certificate-based authentication, many organizations have found Shadow IT CAs run by engineers that needed certificates and did not use the company-approved private CA. These are usually not created with malicious intent, but instead, an engineer realizes that they need a certificate authority to create certificates for their authentication (either to their application, to a cloud service, or something else). Since they do not know who to talk to or if the organization has an internal Certificate Authority for this use case, they go ahead and create a certificate authority on their own. This is a major risk for you since certificate authorities – if not configured properly – can become huge vulnerabilities for your organization. Check out this blog to learn about the best way to detect and combat shadow IT certificate authorities.
A crucial security measure for organizations interacting with customers is safeguarding the data exchanged between both entities against external threats. If data integrity is compromised, it erodes the trust of customers or data recipients as their information becomes vulnerable. Leveraging SSL and TLS certificates ensures over-the-air data remains secure. In this blog, we will aim to clarify the mystique surrounding the difference between SSL and TLS certificates – if there is any.
As more and more systems are being moved from on-premises to the cloud, more people are considering how to move certificate authorities to Azure. Browsing through Microsoft forums from even years ago, we can see that people want such things as a new PKI that connects to Intune and Azure Key Vault and having Key Vault act as a KSP to run certificate authorities in the cloud. In this blog, we will run through some alternatives to run CAs in the cloud in order to best help your organization modernize its PKI.
For the longest time now, the tech community been patiently waiting for our buddies at Microsoft to FINALLY build at Cloud PKI for Intune. But as the universe would have it, this vision didn't materialize. Shocking, I know. Luckily for us, Microsoft has graciously decided to shine its spotlight onto EZCA by Keytos — a revolutionary cloud-based PKI tailored for Intune. Built by ex-Microsoft Cloud PKI Engineers, EZCA is clearly the best option for organizations looking to button-up their security best practices around Intune certificates. If you're eager to upgrade your Intune PKI, keep on reading.
You can now use the popular PKI protocol ACME to manage your ADCS (Active Directory Certificate Services) internal certificates with Keytos' EZCA. Allowing you to use your same certificate automation tools you use for your external certificates for your internal certificates.
If we’re being honest, Google has been bullying the internet into decisions for the better part of two decades (like Certificate Transparency Logs). Most recently, they announced that they’re mandating that all certificates need to be to be rotated every 90 days. This new policy has significant ramifications for identity engineers, and in this article, we will take a look into the implications of this mandate for everyday security practitioners.
Private PKI is basically an amalgamation of mechanisms using public key cryptography to verify the authenticity of users and devices. This infrastructure utilizes digital certificates, certificate authorities (CAs), and certificate revocation lists (CRLs) to remain operational. But not all PKIs are equal... This is where you’ll observe the differentiation and clear distinction between public PKIs and their private counterparts. This article will provide a quick outline the intricacies of a private PKI and let you know a little bit more as to why it might be good for your organization.
When moving to the cloud, one of the questions your security team will ask is, "How can I get an HSM (Hardware Security Module) backed Certificate Authority/PKI (Public Key Infrastructure) in Azure?" While there is no Certificate Authority as a service offered by Azure or Key Vault, we are happy to offer EZCA, an Azure based Certificate Authority that leverages Key Vault and Azure Dedicated HSM(s) to create cloud-native Certificate Authorities in Azure.
In today’s world, which is increasingly gravitating towards zero-trust principles, Public Key Infrastructure (PKI) stands as a pillar of trust. Yet, conventional methods of handling PKI often come with their fair share of issues and stumbling blocks, potentially leading to vulnerabilities and operational inefficiencies. However, there is a significant transformation underway - a shift toward automating PKI management. In this article, we'll examine the challenges inherent in traditional PKI management, explore the paradigm shift towards automation, and underline the advantages of adopting this innovative approach, with a particular focus on our tool, EZCA by Keytos, the only truly native Azure PKI.
Odds are you’ve landed here after the long and tedious exercise that is searching the Internet for the best Intune SCEP CA. We know that selecting the right Certificate Authority (CA) to issue Simple Certificate Enrollment Protocol (SCEP) certificates for Intune can be challenging, to say the least! With numerous vendors and factors to consider, how can you really be certain you’re making the right decision? Luckily, we’ve taken the guesswork out of the equation for you! This blog post aims to guide security developers by aligning key selection criteria with the remarkable features of EZCA, the first Azure-native CA designed with Intune SCEP in mind!
Your organization has been running for years without needing an SSL management tool. Did you know that this is actually incredibly costly? Click here to learn all about the costs of not implementing an SSL management tool, as well as the best way to monitor SSL certificates.
Public CAs are recognized third-party entities that satisfy the criteria set by leading certificate stores, including Microsoft, Apple, and Mozilla; due to this, devices’ operating systems inherently trust public CAs. This means that individuals within an entity don’t have to manually register their certificates, as the system already deems them trustworthy. Click here to learn more about public CAs, what they are used for and how to request one!
Private CAs are predominantly employed for internal certificates, ensuring that the certificate doesn’t require external party validation. Typical applications of a private CA encompass internal websites, application, user, and device authentication. Click here to learn more about what a private CA is and why it is used.
Most everyone responsible for managing devices access across their organization using Intune has eventually been stumped by a couple of questions. “What’s the best Certificate Authority for Intune?” and “How am I going to take care of all these dang certificates?” Luckily for you, we’ve created EZCA to help you modernize your PKI in minutes! Read on to find out how EZCA by Keytos can help make MDM painless!
Cyber threats are ever evolving, and organizations constantly seek out streamlined solutions to protect their digital assets. That being said, protocols that automate secure processes are absolutely golden. Enter ACME, or Automated Certificate Management Environment. But the pressing question lingers, is the ACME protocol secure? Let's take a thorough look into ACME, its security features, some common misconceptions, and how it'll keep you secure.
As certificate-based authentication continues to increase, ensuring that these certificates are valid and trustworthy is of extreme importance. Bad actors and threats are becoming increasingly sophisticated, so the way we monitor and validate certificates has needed to be developed to maintain the security of our precious data. In the following, we’ll explore what these protocols are, why they’re so important, how they’re different, and why the contemporary Security Engineer should become familiar.
ACME is an acronym that stands for Automated Certificate Management Environment, and when simplified to an extreme degree, it’s a protocol designed to automate the interaction between certificate authorities (CAs) and users' web servers. How can you use this to further improve your organization's handling of certificates? Read on to find out!
As the need for secure and compliant data transactions (of all sorts) continues to skyrocket, the use of SSL and TLS certificates has become increasingly prevalent. But what happens when certificates expire or don’t get renewed in a timely fashion? In an effort to nip this problem in the bud, ACME protocol was created. In this blog, we'll take a look into the details of ACME to understand how it helps in preventing SSL related outages.
Modern organizations, regardless of size, find themselves in an ongoing battle to safeguard their precious data from prying eyes and malicious actors. Central to this is PKI. When it comes to deploying PKI, organizations stand at a crossroad - should they tread the challenging path of manual, in-house certificate management or opt for the streamlined and efficient route provided by 3rd party tools? As we delve deeper into the world of PKI in this blog, you'll discover why choosing the latter could be the game-changer your organization needs.
OCSP stands for “Online Certificate Status Protocol.” As its name suggests, it’s a protocol specifically designed to check the revocation status of individual digital certificates. But how does it work and, more importantly, how does it impact your organization? Read our tell-all piece on OCSP to find out!
You’ve probably seen us mention X.509 certificates many times in different blogs and pages on our site, but what exactly are they? What makes a certificate an X.509 certificate? Is an X.509 certificate any different from an SSL certificate?
Automating SSL Certificate Management removes the inevitable human error associated with almost every SSL outage. Keep reading, follow these steps, and you’ll significantly reduce the likelihood of any SSL certificate outages in the future.
HSMs provide a dedicated, secure, and tamper-resistant environment for managing cryptographic keys, performing encryption and decryption operations, and automating key lifecycle management. In this article, we will delve into the fundamentals of HSMs, why they are crucial in modern cybersecurity, their relevance within the context of existing solutions, and how various industries leverage them.
SSL monitoring, also referred to as SSL certificate monitoring, is the ongoing process of checking and validating SSL certificates and their configurations on websites and services. But why is SSL monitoring important? Click here to find out!
CAA stands for Certificate Authority Authorization (try saying that five times fast), but don't let that mouthful throw you off. In this blog, we go over the fundamentals of what a CAA is and why a CAA is so important in your PKI journey.
In the digital world, the security of communications, especially online transactions, is incredibly important. A significant aspect of this security revolves around digital certificates; like all things digital, however, certificates can sometimes become compromised. This is where a Certificate Revocation List (CRL) becomes essential. In this blog, we'll delve deep into the concept of a CRL, its significance, its working mechanism, and even touch upon creating one.
With the move to the cloud, people are looking for ADCS alternatives in Azure. In this article, we will show you how to set up a PKIaaS Azure Certificate Authority with Azure Key Vault or dedicated HSM.
Client certificate authentication is one of the most secure ways for customers to authenticate into your APIs. In this blog, we will show you how to set up client certificate authentication with automatic certificate rotation in Azure API Management Service.
With the ability to issue SCEP certificates for Intune, organizations can now use passwordless authentication for their VPN, network infrastructure and more, all without the need for a large on-premises infrastructure, thus eliminating the need for domain controllers, certificate authorities, hardware security modules (HSMs), certificate revocation list (CRL) servers, and SCEP servers. Check out our blog on how Intune works with SCEP to learn more about the basics behind this.
Microsoft said for years that they would create and offer a PKI for Intune; unfortunately, they could not do it. Instead, Microsoft recommends that organizations use EZCA to set up an Intune PKI. Read on to learn exactly what you need to do to set up an Intune PKI with EZCA.
CT logs play a crucial role in detecting and mitigating security incidents related to certificate issuance, benefiting both end-users and organizations relying on secure communication. But what exactly are they, and why should you take note of them?
The world of CA hierarchy and design is a complex one – but it doesn’t have to be. The implementation of proper certificate authority hierarchy and design is key to secure communication across your organization.
SCEP (Simple Certificate Enrollment Protocol) can be used in conjunction with Microsoft Intune, a cloud-based endpoint management solution, to facilitate the deployment and management of digital certificates on devices managed by Intune. But how does Intune work with SCEP? Read on to find out.
Root certificate authorities and issuing/subordinate certificate authorities are vital to CA design, particularly in a Two-Tier Hierarchy. So, what are they and what makes them so important?
Simply put, SCEP is a protocol used to automate the issuance and management of certificates within a Public Key Infrastructure (PKI) environment. But how does it work, and why should you and your organization care? Read on to find out everything you should know about what SCEP is.
PKI is based on trust - clients must be able to trust the root CA in order to build a chain of trust and accept a certificate. Not only is trust the key to PKI, but it is also the key to understanding public vs private certificate authorities.
While Remote Desktop Protocol (RDP) is a convenient and efficient way to access remote systems, if it is not properly administered, it can be vulnerable to some attacks such as Man-In-The-Middle attacks caused by using the Trust on First Use (TOFU) model. In this blog post, we will discuss why RDP TOFU is a bad security model and why organizations should use SSL certificates instead.
With the move to the cloud, the days of manually managing SSL certificates are gone. Now, Most organizations are moving to the ACME protocol. An easy to use protocol that automatically renews your SSL certificates preventing costly outages while freeing your engineers time to focus on other critical tasks.
As with many security tools, the origin of certificate transparency logs can be traced back to a cyberattack. The attack that can be credited with the creation of CT Logs is the 2011 DigiNotar attack. Now, Certificate Transparency logs enable organizations to have full visibility to all certificates issued for their domains.
With the exponential growth of online services, it has become impossible to manually rotate application certificates. Learn how you can automate your AAD Application certificate rotation with the new automatic Azure AD certificate rotation from EZCA.
Stolen subdomains are a hot commodity in the black market, CAA records can help you protect your organization from this scary vulnerability by limiting SSL Certificate issuance to your organization only. learn more on how to set it up.
ADCS has been the go to Certificate Authority for over two decades, while it is secure and reliable, it does not meet the cloud needs that organizations now have. EZCA enables you to modernize your existing ADCS PKI by extending it and adding modern protocols such as REST API, Azure Key Vault integration, Azure IoT integration, and ACME
The number of deployed IoT Devices is growing exponentially, and so are the cyber-attacks geared against IoT. The first large scale IoT device attack was Mirai botnet bringing down a large part of the internet. How did the attacker gain control over thousands of IoT devices? It was simply a hard coded credential that gained them access into the device's Operating System.