Contact Us

Setting Up Cloud PKI with Azure Key Vault

Cloud PKI Azure Key Vault. ADCS in Azure - How to protect your Private Keys with Azure Key Vault or dedicated HSM.
02 Feb 2024

How Move On-Prem PKI to Cloud-Based PKI

Undeniably, the shift from on-premises systems to cloud-based solutions has gained significant momentum and continues to do so. It should come as absolutely no surprise that in today’s modern business environment, more and more Security Engineers are exploring how to set up a Cloud PKI (Certificate Authority) in AKV to protect their keys by moving ADCS to Azure Key Vault. If we do a little bit of research and glance back through the Microsoft forums, as far back as 3 years ago, there’s a noticeable curiosity about establishing a new Public Key Infrastructure (PKI) that integrates seamlessly with Intune and Azure Key Vault. Additionally, there’s a serious interest in leveraging Azure Key Vault as a Key Storage Provider (KSP) to facilitate running Certificate Authorities in the cloud. In this post, we’re going to explore various options for operating Certificate Authorities in the cloud, aiming to assist your organization in its journey towards PKI modernization.

Should I Run a Microsoft CA in an Azure VM?

When tasked with migrating your Certificate Authorities (CAs) to the cloud from an on-premises setup, the immediate thought might be to replicate your existing infrastructure in the cloud, essentially in an Azure VM. This approach seems straightforward and comfortably familiar. However, it’s not without its pitfalls. One must be vigilant about potential misconfigurations in the CA that could lead to security breaches. Additionally, maintaining a robust express route connection to your on-premises Hardware Security Module (HSM) becomes essential to ensure key security. Despite its apparent simplicity, deploying certification authorities in an Azure VM is not the most cost-effective or scalable strategy for transitioning your PKI to the cloud. See here for more on how to create RDP SSL certificates for Azure VMs.

What are the Key Features of Cloud PKI?

Following Microsoft’s announcement that they won’t be developing an Azure-based PKI, several Microsoft partners have stepped up to fill this gap with their own PKI solutions in Azure. Among these, EZCA by Keytos stands out as the only cloud PKI offering fully integrated with Azure. This unique integration is a noteworthy aspect, especially considering that the EZCA team includes former Microsoft PKI engineers. EZCA’s seamless Azure integrations enable you to connect to Azure resources just as you would from other native Azure services. This makes EZCA a distinctive and efficient choice for those seeking a robust, Azure-centric PKI solution. Here are some of the things you’ll need to consider…

Do You Want to Issue Intune SCEP Certificates?

In the wake of the rising trend towards zero-trust security models, a significant shift is occurring in how organizations handle device authentication, moving towards certificate-based authentication (CBA). To facilitate this, Intune SCEP provides a streamlined way for organizations to distribute certificates to user devices efficiently. EZCA, as a Microsoft-approved PKI, integrates seamlessly with Intune, enabling a fully cloud-based infrastructure. This integration not only aligns with the zero-trust paradigm but also allows for the rapid setup of your Intune cloud-based PKI. Remarkably, what used to take weeks can now be accomplished in just a few hours, marking a significant advancement in the ease and speed of deploying secure authentication systems.

Do You Need ACME for Private Certificates?

As SSL certificates have continued to grow in use, the task of manually verifying and issuing each certificate has become unmanageable for PKI teams. This challenge led to the development of ACME (Automatic Certificate Management Environment), an automation protocol that simplifies the process. ACME allows the Certificate Authority to validate domain ownership by requiring the requester to place a specific challenge in the domain. Recognizing this need, EZCA offers support for ACME within private networks. This integration streamlines the certificate issuance process, making it more efficient and less labor-intensive.

Do You Need to Automate Certificate Rotation?

As cloud adoption surges, the manual management of SSL certificates has become an impractical task. To streamline this process, we’ve integrated with Azure Key Vault. By leveraging Azure Key Vault’s capabilities, users can now ensure their certificates are seamlessly and securely managed, keeping pace with the dynamic and growing demands of cloud-based environments.

Do You Need Azure Application Certificate Auto-Renewal?

Unfortunately, Azure AD Applications still do not support subject based authentication for certificate authentication. What exactly does that mean? Well, each time your certificate is rotated, you must register the new thumbprint in Azure AD. To help organizations automate their credential management, we have enhanced our Azure Key Vault certificate rotation feature with automatic registration of the new certificate, making EZCA the first tool to automate certificate rotation for Azure AD Applications!

Do You Need Certificate Management for IoT?

Using certificate based authentication for Azure IoT is the safest method to connect your IoT devices to Azure. For those considering using their CA to distribute IoT certificates, we’ve compiled an IoT security best practices guide. Additionally, we offer a one-click integration with Azure IoT. This ensures organizations can commence their IoT projects by adhering to security standards and employing a certificate authority tailored to accommodate their growth.

Do You Need Custom, Open-Source Tools?

While Azure integrations and modern protocols such as ACME might be enough for 90% of Azure customers, we are committed to empowering everyone to have a secure PKI in Azure. This is why we have created open-source certificate rotation tools as well as a popular NuGet Package with one line certificate requests.

Do You Need CBA for Entra?

EZCA smoothly integrates with EZCMS, our passwordless onboarding tool, to allow organizations to adopt a completely passwordless approach in Azure. This combination manages user onboarding, the shipping and distribution of hardware keys, and it also provides support for the Microsoft Authenticator app!


Do You Need to Manage Public Certificates?

For those who have read this far and wish EZCA could also handle your public certificates, good news awaits! We recently introduced a feature in EZCA for public SSL certificate management! Now, all the impressive integrations you’ve learned about can be applied to your public certificate management as well.

How to Go from On-Prem to Cloud PKI with EZCA

As the inevitable shift from on-premises to cloud continues, it brings with it new complexities and questions, particularly around the secure migration from on-prem to cloud PKI. While the traditional method of running Active Directory Certificate Services (ADCS) in an Azure VM might seem familiar, it often falls short in terms of efficiency and security. Modern cloud-based PKI solutions offer a more refined approach, boasting enhanced flexibility, integration, and security, especially when tailored for Azure environments. EZCA exemplifies this modern approach as a comprehensive tool with native Azure integrations. It offers automated solutions to contemporary challenges, embodying Keytos’ commitment to adaptability and versatility. This is further evidenced by their array of open-source tools and the NuGet package, catering to a wide range of Azure customers. For organizations seeking to upgrade and secure their PKI within Azure, adopting solutions like EZCA, which are deeply integrated with and attuned to the cloud’s nuances, promises a smoother transition and a stronger, more secure digital future.

You Might Also Want to Read