With the move to the cloud, many people are looking at options on how to move ADCS to Azure. Looking through the Microsoft forums we see questions such as people wanting a new PKI that connects to Azure Key Vault and Intune, having key vault act as a KSP to run ADCS in the cloud and more. In this post we will talk about different alternatives to run Certificate Authorities in the cloud to help you modernize your PKI.
The first option that comes to mind when management asks you to move your Certificate Authorities to the cloud is to run your existing on-premises infrastructure in the cloud. While this is the familiar path, there are some caveats when trying to secure it, from all the known ADCS misconfigurations that can cause a security breach, to needing to have an express route connection to an on-premises HSM to secure your keys running ADCS in an Azure VM is not the most scalable or economical way migrate your PKI.
Since Microsoft has mentioned they are not building an Azure PKI, some Microsoft partners have created PKI offerings in Azure; however, the only cloud PKI offering that is fully integrated with Azure (and even build by ex-Microsoft PKI engineering team) is EZCA. EZCA’s native Azure integrations allow you to connect to Azure resources as you would natively from other Azure resources.
With the growing focus on zero-trust, organizations are moving their device authentication to certificate based authentication. Intune SCEP allows organizations to distribute these certificates to user devices. EZCA connects to Intune as a Microsoft approved PKI and enables you to have a fully cloud based infrastructure and set up your Intune cloud based PKI in hours instead of weeks.
With the exponential growth of SSL certificates, it is impossible for PKI teams to verify each certificate request and manually issue the certificate for the users. This has lead to the creation of ACME, this automated way, allows the CA to validate the ownership of a domain by requiring the requester to place a specific challenge in the domain. EZCA allows you to enable ACME for your private network, either by using our ACME capable cloud based CAs or by modernizing your existing ADCS with ACME.
With the growth of cloud adoption, manually managing certificates has become impossible, to help with this we have integrated with Azure Key Vault to enable Microsoft customers to automatically rotate their private CA certificates in the cloud.
Unfortunately, Azure AD Applications still do not support subject based authentication for certificate authentication, meaning that each time your certificate is rotated you must register the new thumbprint in Azure AD. To help organizations automate their Azure AD Application credential management we have enhanced our Azure Key Vault certificate rotation feature with automatic registration of the new certificate in Azure AD, being the first tool to automate certificate rotation for Azure AD Applications.
Azure IoT certificate-based authentication is the most secure way to authenticate your IoT devices to Azure. If you are planning to use your CA to issue IoT certificates, we have created an IoT security best practices guide as well as a one click integration with Azure IoT, enabling organizations to kickstart their IoT development by following security best practices with a Certificate Authority that can scale to meet their needs.
While Azure integrations and modern protocols such as ACME might be enough for 90% of Azure customers, we are committed to empowering everyone to have a secure PKI in Azure. This is why we have created open-source certificate rotation tools as well as a popular NuGet Package with one line certificate requests, empowering from engineers maintaining legacy infrastructure, to the engineers building the infrastructure of the future, EZCA and Azure are here to help.
EZCA seamlessly integrates with EZCMS to enable organizations to go fully passwordless in Azure by managing the user onboarding, hardware key distribution and even support for the Microsoft Authenticator application, making these two tools a must for organizations trying to go passwordless.
If you read all this information about EZCA and would hope that this ADCS replacement would also manage your public certificates you are in luck, last month we announced public SSL certificate management for EZCA, allowing you to bring all these amazing integrations to your public certificate management.
The migration to the cloud is an inevitable trend, but with it comes new challenges and questions, especially around secure PKI transitions. The traditional practice of running Active Directory Certificate Certificates (ADCS) in an Azure VM, while familiar, may not always be the most efficient or secure. Modern solutions, such as cloud-based PKIs, offer enhanced flexibility, integration, and security, especially when specifically tailored for Azure environments. EZCA stands out as a comprehensive tool with its native Azure integrations, providing automated solutions for modern challenges. Their commitment to adaptability and versatility is evident with their inclusion of open-source tools and their NuGet package, ensuring that they can cater to a diverse range of Azure customers. For organizations looking to streamline and fortify their PKI in Azure, turning to solutions like EZCA that are deeply integrated and cognizant of the cloud’s intricacies can provide a smoother transition and a more secure digital future.
