As I’m sure you’re well aware, the importance of private Certificate Authorities, in the context of modern cybersecurity, simply cannot be overstated. Companies like Google and AWS have both delivered functional PKIs for their users, making the process of issuing and managing private certificates a proverbial “piece of cake.” But what about Microsoft? Does Azure have a cloud certificate authority? Of course not! Security Engineers operating within the Microsoft/Azure ecosystem have had to rely on 3rd party PKI tools to ensure data security in the cloud. To be fair, they’ve been teasing the release for a few years now, and just a few weeks ago, they finally announced they’re ready to deliver a Cloud PKI for Intune. You’d imagine that the Security community would be ecstatic about the announced, but nothing could be further from the truth. To put in plainly, Microsoft’s cloud PKI falls short of expectations
You’re probably wondering, “What the heck is the problem with announcing a new solution?” Generally speaking, new product announcements are met with great enthusiasm. But when your clients are expecting one thing, and you SERIOUSLY underdeliver, you’re going to hear about it. Here’s a quick peek at what it doesn’t support…
SCEP for Non Intune MDMs: It’s been more than a year since u/SecurityRabbit had this to say in r/AZURE
“Would be nice if they would offer a SCEP service that actually works instead of having to try to use some add-on like SCEPman which is financially unworkable.”
…I hate to be the bearer of bad news, but it is not included.
OCSP: Unlike more traditional methods like CRLs, OCSP was designed specifically for retrieving the revocation status of individual certificates, making it much more efficient, and consequently, more popular, than its traditional counterpart. Unfortunately, it is not included in Microsoft’s new Cloud PKI, making it uncompatible with most radius and network authentication appliances.
SmartCard Certificates: Smartcards have been one of the most widely used authentication methods associated passwordless and phishing resistant credentials for quite some time now. Microsoft themselves added Azure CBA support last year. However, this new PKI can only issue certificates for single factor authentication and does not accommodate the more secure version of smartcards, or YubiKeys.
ACME: Long story short, having ACME support in a private CA is an absolute must in this day and age.
Key Vault Certificate Rotation: Azure Key Vault allows you to securely manage your certificates, services, and even pushes them to your Azure VMs. AKV has supported Automated certificate rotation for DigiCert for over 5 years, and adding a similar functionality for private certificates would make this new cloud offering a great option. But it’s not.
IoT Hub Integration: Outside of Intune, the biggest use case for certificates is in Azure IoT Hub.
As you can see, the only thing that Microsoft’s Cloud PKI does is issue certificates through Intune SCEP. It’s a good start, but it’s not enough for the needs of the modern enterprises, many of which run already run up to 9 different CA’s from different providers. Now, you’re probably wondering, “What’s the best alternative to Azure PKI?”
Considering the obvious shortcomings, Engineers have continued to search for the best alternatives to Microsoft’s Cloud PKI. Without question, EZCA by Keytos is the clear frontrunner. Not only is it the most intuitive and robust solution, it is simultaneously the least expensive. EZCA is the first and only Azure-native CA, and was built by ex-Microsoft PKI Engineers, specifically for other PKI Engineers. For this reason, it has become the go-to solution for organizations across the globe. There’s even an EU-specific EZCA that helps our friends across the pond adhere to their unique compliance and regulatory guidelines.
EZCA has also become the de-facto Cloud PKI for the IoT community due to our outstanding documentation that covers everything from the basics of IoT security best practices, to setting up CBA in Azure IoT Hub, to providing Azure IoT code samples and NuGet packages… we strive to make implementation as frictionless as possible. We know how much the Engineering community dislikes having to sit on sales discovery calls, so we’ve designed EZCA to be as DIY as possible by providing you with all the information you’ll need to get things up-and-running. That said, we’re always happy to chat, and pride ourselves on providing excellent customer service. Feel free to book time to talk to our Identity experts and get a FREE PKI evaluation!
