Contact Us

How to Deploy a Certificate Authority in Azure

Create an Azure-based CA in minutes. Create an Azure-based Certificate Authority in minutes. How to Deploy a CA in Azure. How to Deploy a Certificate Authority in Azure.
27 Oct 2023

When moving to the cloud, one of the questions your security team will ask is: “How can I get an HSM (Hardware Security Module) backed Certificate Authority / PKI (Public Key Infrastructure) in Azure?” As mentioned in this Microsoft Forum, while there is no Certificate Authority as a service offered by Azure or Key Vault, we are happy to offer EZCA, an Azure based Certificate Authority that leverages Key Vault and Azure Dedicated HSM(s) to create cloud-native Certificate Authorities in Azure.

The Deployment Process

Just like any other Azure resource, EZCA can be set up in just a few minutes via the Azure portal by following these steps. Once you’ve set up your EZCA instance, you’re ready to create your first Certificate Authority! EZCA leverages the security, automation, and scalability offered by the Azure cloud, meaning that your CAs will be highly available, allowing your team to focus on creating the best experience for your users.

Certificate Lifecycle Automation

EZCA also helps you manage and automate your certificate lifecycle, one of the most tedious elements of any PKI. Our easy-to-use domain management system allows you to assign domain owners and distribute the certificate management responsibility across your organization. Then, our certificate issuance and rotation systems make it easy for anyone to issue/manage certificates without any prior experience in SSL management. Prevent your next outage by removing the human element and automating the process.

Microsoft Integrations

One of the advantages of EZCA being created by a team of ex-Microsoft engineers is that we have exceptional Azure integrations, allowing you to achieve the crypto agility that today’s zero-trust world requires. EZCA makes it easy to automate all certificate issuance by using the Microsoft tools you already use.

Passwordless Onboarding and Smartcard Support for Azure CBA

With phishing attacks becoming more common, the US President issued Executive Order 14028 forcing government entities and government contractors to go passwordless using certificate based authentication such as Azure CBA. EZCA is the first Azure based CA that can create smartcard certificates and help you go passwordless in less than an hour.

Intune SCEP Certificate Issuance

EZCA is one of Microsoft’s recommended 3rd party CAs for Intune SCEP, allowing you to create a fully Azure-based infrastructure for Intune SSL certificate distribution.

Azure Key Vault Automatic Rotation

One of our most powerful integrations is our integration with Azure Key Vault for certificate creation and rotation. This integration allows you to not only create certificates and protect them with HSMs in Key Vault, but also allows you to automatically rotate the certificates and push to your Azure VMs. If that certificate is used for AAD authentication, we offer the only AAD automatic certificate rotation service for AAD applications.

Azure IoT One Click Connection

If you are following Azure IoT security best practices you are using IoT certificate authentication. However, setting up and maintaining the infrastructure for IoT devices is usually left to the IoT software developers that are not familiar with PKI best practices and maintenance. This is why we have created a one-click Azure IoT integration allowing IoT developers to set and forget their Azure IoT Certificate Authorities. With our easy to follow development samples you can have Azure IoT certificate based authentication working in less than a day!

Legacy Support

During our conversations with customers, many have loved the new interface and new protocols that EZCA offers such as ACME support and Azure IoT one click integration because, due to compliance reasons, they could not move their CAs to the cloud. To enable this modern certificate management on legacy ADCS (Active Directory Certificate Service) CAs, we created our ADCS connector, enabling you to have all the same EZCA cloud features with your existing Windows ADCS infrastructure.

Connect ADCS CA to EZCA and gain features such as ACME, Azure Key Vault certificate rotation and more

We understand that deploying a new certificate authority can be an intimidating task. We are here to help you through the process, book a call with our PKI experts and we will answer any questions you might have about PKI best practices.

You Might Also Want to Read