When moving to the cloud, one of the questions your security team will ask is: “How can I get an HSM (Hardware Security Module) backed Certificate Authority / PKI (Public Key Infrastructure) in Azure?” As mentioned in this Microsoft Forum, while there is no Certificate Authority as a service offered by Azure or Key Vault, we are happy to offer EZCA, an Azure based Certificate Authority that leverages Key Vault and Azure Dedicated HSM(s) to create cloud-native Certificate Authorities in Azure.
Just like any other Azure resource, EZCA can be set up in just a few minutes via the Azure portal by following these steps. Once you’ve set up your EZCA instance, you’re ready to create your first Certificate Authority! EZCA leverages the security, automation, and scalability offered by the Azure cloud, meaning that your CAs will be highly available, allowing your team to focus on creating the best experience for your users.
EZCA also helps you manage and automate your certificate lifecycle, one of the most tedious elements of any PKI. Our easy-to-use domain management system allows you to assign domain owners and distribute the certificate management responsibility across your organization. Then, our certificate issuance and rotation systems make it easy for anyone to issue/manage certificates without any prior experience in SSL management. Prevent your next outage by removing the human element and automating the process.
One of the advantages of EZCA being created by a team of ex-Microsoft engineers is that we have exceptional Azure integrations, allowing you to achieve the crypto agility that today’s zero-trust world requires. EZCA makes it easy to automate all certificate issuance by using the Microsoft tools you already use.
With phishing attacks becoming more common, the US President issued Executive Order 14028 forcing government entities and government contractors to go passwordless using certificate based authentication such as Azure CBA. EZCA is the first Azure based CA that can create smartcard certificates and help you go passwordless in less than an hour.
EZCA is one of Microsoft’s recommended 3rd party CAs for Intune SCEP, allowing you to create a fully Azure-based infrastructure for Intune SSL certificate distribution.
One of our most powerful integrations is our integration with Azure Key Vault for certificate creation and rotation. This integration allows you to not only create certificates and protect them with HSMs in Key Vault, but also allows you to automatically rotate the certificates and push to your Azure VMs. If that certificate is used for AAD authentication, we offer the only AAD automatic certificate rotation service for AAD applications.
If you are following Azure IoT security best practices you are using IoT certificate authentication. However, setting up and maintaining the infrastructure for IoT devices is usually left to the IoT software developers that are not familiar with PKI best practices and maintenance. This is why we have created a one-click Azure IoT integration allowing IoT developers to set and forget their Azure IoT Certificate Authorities. With our easy to follow development samples you can have Azure IoT certificate based authentication working in less than a day!
During our conversations with customers, many have loved the new interface and new protocols that EZCA offers such as ACME support and Azure IoT one click integration because, due to compliance reasons, they could not move their CAs to the cloud. To enable this modern certificate management on legacy ADCS (Active Directory Certificate Service) CAs, we created our ADCS connector, enabling you to have all the same EZCA cloud features with your existing Windows ADCS infrastructure.
We understand that deploying a new certificate authority can be an intimidating task. We are here to help you through the process, book a call with our PKI experts and we will answer any questions you might have about PKI best practices.