Contact Us

PKI Guides and Best Practices

What is PKI? PKI definition

What is PKI and What Do You Need to Get Started?

PKI is a combination of hardware, software, policies, and standards that work together to provide a comprehensive framework for secure communications in the digital world. The general consensus in the cybersecurity world is that PKI is hard - here at Keytos, we beg to differ. PKI is actually easy! In this blog, we'll run through what PKI is and the best way for you to get started with it.

How do NDES and SCEP work together?

How NDES Works with SCEP

In the world of network security and certificate management, two prominent technologies often come to the forefront: Microsoft Network Device Enrollment Service (NDES) and Simple Certificate Enrollment Protocol (SCEP). Although these technologies are interconnected, they serve distinct roles within the digital landscape. Let's take a deeper dive into what each technology is and how they work hand-in-hand.

What is a Subordinate Certificate Authority? What is an Issuing CA?

What is a Subordinate CA? (What is an Issuing CA?)

In a Two-Tier PKI Hierarchy, which is the recommended structure employed in certificate management, two main types of certificate authorities (CAs) emerge: the root CA and the subordinate CA, also known as the issuing CA. While the root CA is the primary trust anchor and sits at the pinnacle of this hierarchy, the subordinate CA plays a more nuanced and specific role. In this blog, we will explore what exactly the role of the subordinate CA is.

What is a Root Certificate Authority? What is a Root CA?

What is a Root CA?

A root certificate authority, often referred to as the foundation of trust in your PKI system, is pivotal for authenticating a certificate chain. For this chain to be trusted, the root certificate must be embedded into the operating system's trusted root store. Check out this blog for an in-depth look at root CAs!

Use CAA Records to Protect Your SSL Certificates

Protect Your SSL Certificates with CAA Records!

Compromised subdomains are becoming increasingly valuable amongst hackers and other cyber criminals in the darker corners of the internet. How can you best protect your SSL certificates from being compromised? CAA Records. Check out this blog to learn how this straightforward solution proves to be a potent defense mechanism, emphasizing its potential to be a significant deterrent against future phishing threats.

How to Detect Shadow IT Certification Authorities

How to Detect Shadow IT Certificate Authorities

With the growth of certificate-based authentication, many organizations have found Shadow IT CAs run by engineers that needed certificates and did not use the company-approved private CA. These are usually not created with malicious intent, but instead, an engineer realizes that they need a certificate authority to create certificates for their authentication (either to their application, to a cloud service, or something else). Since they do not know who to talk to or if the organization has an internal Certificate Authority for this use case, they go ahead and create a certificate authority on their own. This is a major risk for you since certificate authorities – if not configured properly – can become huge vulnerabilities for your organization. Check out this blog to learn about the best way to detect and combat shadow IT certificate authorities.

SSL vs. TLS; the difference between SSL and TLS

The Difference Between SSL and TLS Certificates

A crucial security measure for organizations interacting with customers is safeguarding the data exchanged between both entities against external threats. If data integrity is compromised, it erodes the trust of customers or data recipients as their information becomes vulnerable. Leveraging SSL and TLS certificates ensures over-the-air data remains secure. In this blog, we will aim to clarify the mystique surrounding the difference between SSL and TLS certificates – if there is any.

Certificate Authority in Azure Key Vault – How to Protect Your Keys

How To Create a Microsoft CA in Azure Key Vault

As more and more systems are being moved from on-premises to the cloud, more people are considering how to move certificate authorities to Azure. Browsing through Microsoft forums from even years ago, we can see that people want such things as a new PKI that connects to Intune and Azure Key Vault and having Key Vault act as a KSP to run certificate authorities in the cloud. In this blog, we will run through some alternatives to run CAs in the cloud in order to best help your organization modernize its PKI.

Best Cloud PKI for Intune - EZCA

Cloud PKI for Intune – Microsoft's Top Pick: EZCA by Keytos

For the longest time now, the tech community been patiently waiting for our buddies at Microsoft to FINALLY build at Cloud PKI for Intune. But as the universe would have it, this vision didn't materialize. Shocking, I know. Luckily for us, Microsoft has graciously decided to shine its spotlight onto EZCA by Keytos — a revolutionary cloud-based PKI tailored for Intune. Built by ex-Microsoft Cloud PKI Engineers, EZCA is clearly the best option for organizations looking to button-up their security best practices around Intune certificates. If you're eager to upgrade your Intune PKI, keep on reading.

Windows ADCS Enable ACME support with EZCA

How to Enable ACME Issuance in Windows ADCS CA

You can now use the popular PKI protocol ACME to manage your ADCS (Active Directory Certificate Services) internal certificates with Keytos' EZCA. Allowing you to use your same certificate automation tools you use for your external certificates for your internal certificates.

What does Google's 90-day certificate rotation mandate mean for your organization?

90-Day Certificate Rotation Mandate from Google: Implications for the Modern Security Practitioner

If we’re being honest, Google has been bullying the internet into decisions for the better part of two decades (like Certificate Transparency Logs). Most recently, they announced that they’re mandating that all certificates need to be to be rotated every 90 days. This new policy has significant ramifications for identity engineers, and in this article, we will take a look into the implications of this mandate for everyday security practitioners.

What is a Private PKI? Why do you need a Private PKI? Private PKI Explained.

What is a Private PKI and Why Do You Need One?

Private PKI is basically an amalgamation of mechanisms using public key cryptography to verify the authenticity of users and devices. This infrastructure utilizes digital certificates, certificate authorities (CAs), and certificate revocation lists (CRLs) to remain operational. But not all PKIs are equal... This is where you’ll observe the differentiation and clear distinction between public PKIs and their private counterparts. This article will provide a quick outline the intricacies of a private PKI and let you know a little bit more as to why it might be good for your organization.

Create an Azure-based CA in minutes. Create an Azure-based Certificate Authority in minutes. How to Deploy a CA in Azure. How to Deploy a Certificate Authority in Azure.

How to Deploy a Certificate Authority in Azure

When moving to the cloud, one of the questions your security team will ask is, "How can I get an HSM (Hardware Security Module) backed Certificate Authority/PKI (Public Key Infrastructure) in Azure?" While there is no Certificate Authority as a service offered by Azure or Key Vault, we are happy to offer EZCA, an Azure based Certificate Authority that leverages Key Vault and Azure Dedicated HSM(s) to create cloud-native Certificate Authorities in Azure.

PKI Automation - Streamlining Digital Security - The Evolution of PKI Management

PKI Automation - Streamlining Digital Security - The Evolution of PKI Management

In today’s world, which is increasingly gravitating towards zero-trust principles, Public Key Infrastructure (PKI) stands as a pillar of trust. Yet, conventional methods of handling PKI often come with their fair share of issues and stumbling blocks, potentially leading to vulnerabilities and operational inefficiencies. However, there is a significant transformation underway - a shift toward automating PKI management. In this article, we'll examine the challenges inherent in traditional PKI management, explore the paradigm shift towards automation, and underline the advantages of adopting this innovative approach, with a particular focus on our tool, EZCA by Keytos, the only truly native Azure PKI.

The Best Intune SCEP Certificate Authority (Intune SCEP CA)

Best Intune SCEP Certificate Authority

Odds are you’ve landed here after the long and tedious exercise that is searching the Internet for the best Intune SCEP CA. We know that selecting the right Certificate Authority (CA) to issue Simple Certificate Enrollment Protocol (SCEP) certificates for Intune can be challenging, to say the least! With numerous vendors and factors to consider, how can you really be certain you’re making the right decision? Luckily, we’ve taken the guesswork out of the equation for you! This blog post aims to guide security developers by aligning key selection criteria with the remarkable features of EZCA, the first Azure-native CA designed with Intune SCEP in mind!

SSL Certificate Monitoring

The Best Way to Monitor SSL Certificates

Your organization has been running for years without needing an SSL management tool. Did you know that this is actually incredibly costly? Click here to learn all about the costs of not implementing an SSL management tool, as well as the best way to monitor SSL certificates.

What is a Public Certificate Authority?

What is a Public CA?

Public CAs are recognized third-party entities that satisfy the criteria set by leading certificate stores, including Microsoft, Apple, and Mozilla; due to this, devices’ operating systems inherently trust public CAs. This means that individuals within an entity don’t have to manually register their certificates, as the system already deems them trustworthy. Click here to learn more about public CAs, what they are used for and how to request one!

What is a Private Certificate Authority?

What is a Private CA?

Private CAs are predominantly employed for internal certificates, ensuring that the certificate doesn’t require external party validation. Typical applications of a private CA encompass internal websites, application, user, and device authentication. Click here to learn more about what a private CA is and why it is used.

Intune CA for Devices - MDM Made Easy by Keytos

Intune Certificate Authority for Devices – MDM Made Easy by Keytos

Most everyone responsible for managing devices access across their organization using Intune has eventually been stumped by a couple of questions. “What’s the best Certificate Authority for Intune?” and “How am I going to take care of all these dang certificates?” Luckily for you, we’ve created EZCA to help you modernize your PKI in minutes! Read on to find out how EZCA by Keytos can help make MDM painless!

ACME Protocol - is ACME Protocol Secure?

Is ACME Protocol Secure?

Cyber threats are ever evolving, and organizations constantly seek out streamlined solutions to protect their digital assets. That being said, protocols that automate secure processes are absolutely golden. Enter ACME, or Automated Certificate Management Environment. But the pressing question lingers, is the ACME protocol secure? Let's take a thorough look into ACME, its security features, some common misconceptions, and how it'll keep you secure.

The Difference Between CRL and OCSP (CRL vs OCSP)

CRL vs. OCSP - Certificate Revocation for the Modern Security Engineer

As certificate-based authentication continues to increase, ensuring that these certificates are valid and trustworthy is of extreme importance. Bad actors and threats are becoming increasingly sophisticated, so the way we monitor and validate certificates has needed to be developed to maintain the security of our precious data. In the following, we’ll explore what these protocols are, why they’re so important, how they’re different, and why the contemporary Security Engineer should become familiar.

What is ACME Protocol? Modern Use Cases for Certificate Automation & Management

What is ACME Protocol? Modern Use Cases for Certificate Automation & Management

ACME is an acronym that stands for Automated Certificate Management Environment, and when simplified to an extreme degree, it’s a protocol designed to automate the interaction between certificate authorities (CAs) and users' web servers. How can you use this to further improve your organization's handling of certificates? Read on to find out!

What is ACME? How Does ACME Prevent SSL Related Outages?

What is ACME & How Does It Prevent SSL Related Outages?

As the need for secure and compliant data transactions (of all sorts) continues to skyrocket, the use of SSL and TLS certificates has become increasingly prevalent. But what happens when certificates expire or don’t get renewed in a timely fashion? In an effort to nip this problem in the bud, ACME protocol was created. In this blog, we'll take a look into the details of ACME to understand how it helps in preventing SSL related outages.

Why You Need Third Party PKI Tools

Why You Need 3rd Party PKI Tools

Modern organizations, regardless of size, find themselves in an ongoing battle to safeguard their precious data from prying eyes and malicious actors. Central to this is PKI. When it comes to deploying PKI, organizations stand at a crossroad - should they tread the challenging path of manual, in-house certificate management or opt for the streamlined and efficient route provided by 3rd party tools? As we delve deeper into the world of PKI in this blog, you'll discover why choosing the latter could be the game-changer your organization needs.

What is OCSP (Online Certificate Status Protocol)?

What is OCSP?

OCSP stands for “Online Certificate Status Protocol.” As its name suggests, it’s a protocol specifically designed to check the revocation status of individual digital certificates. But how does it work and, more importantly, how does it impact your organization? Read our tell-all piece on OCSP to find out!

What Are X509 Certificates?

What Are X.509 Certificates?

You’ve probably seen us mention X.509 certificates many times in different blogs and pages on our site, but what exactly are they? What makes a certificate an X.509 certificate? Is an X.509 certificate any different from an SSL certificate?

How to prevent SSL outages

How to Prevent SSL Outages

Automating SSL Certificate Management removes the inevitable human error associated with almost every SSL outage. Keep reading, follow these steps, and you’ll significantly reduce the likelihood of any SSL certificate outages in the future.

What are HSMs? Why are Hardware Security Modules important?

What Are Hardware Security Modules (HSMs) and Why Are They Important?

HSMs provide a dedicated, secure, and tamper-resistant environment for managing cryptographic keys, performing encryption and decryption operations, and automating key lifecycle management. In this article, we will delve into the fundamentals of HSMs, why they are crucial in modern cybersecurity, their relevance within the context of existing solutions, and how various industries leverage them.

Why You Need To Monitor Your SSL Certificates

What is SSL Monitoring? Why is SSL Monitoring Important?

SSL monitoring, also referred to as SSL certificate monitoring, is the ongoing process of checking and validating SSL certificates and their configurations on websites and services. But why is SSL monitoring important? Click here to find out!

What is a Certificate Authority Authorization? Why is a CAA Important?

What is a Certificate Authority Authorization (CAA)?

CAA stands for Certificate Authority Authorization (try saying that five times fast), but don't let that mouthful throw you off. In this blog, we go over the fundamentals of what a CAA is and why a CAA is so important in your PKI journey.

What is a CRL / What is a Certificate Revocation List / What is CRL?

What is a CRL (Certificate Revocation List)?

In the digital world, the security of communications, especially online transactions, is incredibly important. A significant aspect of this security revolves around digital certificates; like all things digital, however, certificates can sometimes become compromised. This is where a Certificate Revocation List (CRL) becomes essential. In this blog, we'll delve deep into the concept of a CRL, its significance, its working mechanism, and even touch upon creating one.

Certificate Authority Azure Key Vault. ADCS in Azure - How to protect your Private Keys with Azure Key Vault or dedicated HSM.

How to Set Up Azure Certificate Authority with Azure Key Vault

With the move to the cloud, people are looking for ADCS alternatives in Azure. In this article, we will show you how to set up a PKIaaS Azure Certificate Authority with Azure Key Vault or dedicated HSM.

How to enable client certificate authentication in Azure API Management Service

How To Set Up Client Certificate Authentication in Azure API Management Service

Client certificate authentication is one of the most secure ways for customers to authenticate into your APIs. In this blog, we will show you how to set up client certificate authentication with automatic certificate rotation in Azure API Management Service.

How to use Intune SCEP to get SSL certificates for your Intune managed devices

Intune SCEP – How to Get SSL Certificates

With the ability to issue SCEP certificates for Intune, organizations can now use passwordless authentication for their VPN, network infrastructure and more, all without the need for a large on-premises infrastructure, thus eliminating the need for domain controllers, certificate authorities, hardware security modules (HSMs), certificate revocation list (CRL) servers, and SCEP servers. Check out our blog on how Intune works with SCEP to learn more about the basics behind this.

How to set up Intune PKI

How to Set Up Intune PKI

Microsoft said for years that they would create and offer a PKI for Intune; unfortunately, they could not do it. Instead, Microsoft recommends that organizations use EZCA to set up an Intune PKI. Read on to learn exactly what you need to do to set up an Intune PKI with EZCA.

What are Certificate Transparency Logs and Why are CT Logs Important?

What Are Certificate Transparency Logs? Why Are CT Logs Important?

CT logs play a crucial role in detecting and mitigating security incidents related to certificate issuance, benefiting both end-users and organizations relying on secure communication. But what exactly are they, and why should you take note of them?

How to Choose the Right Certificate Authority Hierarchy

What is Certificate Authority Hierarchy and Which CA Hierarchy Should I Use?

The world of CA hierarchy and design is a complex one – but it doesn’t have to be. The implementation of proper certificate authority hierarchy and design is key to secure communication across your organization.

How Does Intune Work With SCEP?

How Does Intune Work with SCEP?

SCEP (Simple Certificate Enrollment Protocol) can be used in conjunction with Microsoft Intune, a cloud-based endpoint management solution, to facilitate the deployment and management of digital certificates on devices managed by Intune. But how does Intune work with SCEP? Read on to find out.

Root CA vs Issuing CA; Root vs Issuing Certificate Authority

Root vs Issuing Certificate Authority - What is the Difference Between a Root CA and an Issuing CA?

Root certificate authorities and issuing/subordinate certificate authorities are vital to CA design, particularly in a Two-Tier Hierarchy. So, what are they and what makes them so important?

How Does Intune Work With SCEP? SCEP Meaning.

What is SCEP and How Does it Work?

Simply put, SCEP is a protocol used to automate the issuance and management of certificates within a Public Key Infrastructure (PKI) environment. But how does it work, and why should you and your organization care? Read on to find out everything you should know about what SCEP is.

What is the difference between a private and public CA?

Public vs Private CA - What’s the Difference?

PKI is based on trust - clients must be able to trust the root CA in order to build a chain of trust and accept a certificate. Not only is trust the key to PKI, but it is also the key to understanding public vs private certificate authorities.

Stop Blindly Trusting RDP Servers with Trust on First Use (TOFO)

How To Create RDP SSL Certificates for Azure VMs

While Remote Desktop Protocol (RDP) is a convenient and efficient way to access remote systems, if it is not properly administered, it can be vulnerable to some attacks such as Man-In-The-Middle attacks caused by using the Trust on First Use (TOFU) model. In this blog post, we will discuss why RDP TOFU is a bad security model and why organizations should use SSL certificates instead.

EZCA The First ACME CA with ADCS Support

How to Enable ACME in Your Private PKI

With the move to the cloud, the days of manually managing SSL certificates are gone. Now, Most organizations are moving to the ACME protocol. An easy to use protocol that automatically renews your SSL certificates preventing costly outages while freeing your engineers time to focus on other critical tasks.

Certificate Transparency Logs Explained

What Are Certificate Transparency Logs?

As with many security tools, the origin of certificate transparency logs can be traced back to a cyberattack. The attack that can be credited with the creation of CT Logs is the 2011 DigiNotar attack. Now, Certificate Transparency logs enable organizations to have full visibility to all certificates issued for their domains.

Automatically rotate AAD Application certificates

How to Automatically Rotate AAD Application Certificates

With the exponential growth of online services, it has become impossible to manually rotate application certificates. Learn how you can automate your AAD Application certificate rotation with the new automatic Azure AD certificate rotation from EZCA.

Stop attackers before they start with CAA

How to Protect SSL Certificates From Unauthorized Issuance

Stolen subdomains are a hot commodity in the black market, CAA records can help you protect your organization from this scary vulnerability by limiting SSL Certificate issuance to your organization only. learn more on how to set it up.

Modernize ADCS with EZCA and Azure

Get ADCS Ready for Cloud Scale

ADCS has been the go to Certificate Authority for over two decades, while it is secure and reliable, it does not meet the cloud needs that organizations now have. EZCA enables you to modernize your existing ADCS PKI by extending it and adding modern protocols such as REST API, Azure Key Vault integration, Azure IoT integration, and ACME

IoT devices are under attack

IoT is Under Attack!

The number of deployed IoT Devices is growing exponentially, and so are the cyber-attacks geared against IoT. The first large scale IoT device attack was Mirai botnet bringing down a large part of the internet. How did the attacker gain control over thousands of IoT devices? It was simply a hard coded credential that gained them access into the device's Operating System.