Microsoft has been saying for years that they will create and offer a PKI for Intune, and users have been – understandably – clamoring for the day it is released. Unfortunately, Microsoft could not do it; however, they do recommend that organizations use EZCA, the first ever cloud-based PKI solution for Intune, instead, listing EZCA by Keytos as one of their third-party CA partners. In this blog, we will show you how to set up an Intune PKI with EZCA.
One of the coolest things about EZCA is that, as of January 2023, it can issue Simple Certificate Enrollment Protocol (SCEP) certificates for Intune. Check out our blog on what is SCEP to learn more about SCEP. You can also check out our documentation on how to issue SCEP certificates for Intune for more information on that front, but overall, this integration allows organizations to now use passwordless authentication for their VPNs, network infrastructures and more without requiring a large on-premises infrastructure. What on-premises infrastructure needs are eliminated with EZCA?
With our Azure-based Intune PKI solution, organizations are finally able to easily and safely manage SCEP certificates for Intune without needing a large team for maintenance and management of their infrastructure. Just like Microsoft, we at Keytos believe that passwordless authentication is the way of the future, and implementing EZCA allows organizations to reach the future, today.
EZCA fully replaces your old on-premises ADCS certificate authority by enabling you to perform all the functions that your legacy CA did, minus having to fret about the maintenance and upkeep that is necessary to run a highly available PKI. Aside from issuing Intune SCEP certificates, EZCA can issue domain controller certificates for Hello For Business Hybrid, regular SSL certificates for internal sites and service to service authentication, and smartcard certificates. Check out our blog on how to create an Azure-based CA for Intune to learn more about how EZCA helps issue these types of certificates.
We know what you’re really here for: learning how to set up Intune PKI with EZCA! Here’s how:
1) Register the Keytos application in your tenant and register the EZCA Intune application in your tenant. This allows EZCA to authenticate your users and check the certificate request status in Intune to then issue certificates to your Intune managed devices.
2) Create your EZCA instance in Azure.
3) Create your Intune CA.
4) Create your Intune device profiles and start issuing secure certificates to your users’ devices!
Security and compliance are at the core of any reliable identity CMS, and we take that very seriously. While it may be simple to set up and connect EZCA to Intune, you can sit easy knowing that we take all the necessary steps to secure our infrastructure and both meet and exceed international regulatory compliance standards. With EZCA, you can wholeheartedly trust that your Intune PKI is being run as a world-class PKI with the highest level of security and compliance.
We talked throughout this blog about the push towards passwordless authentication. While we just ran through the steps of how EZCA can help your organization by issuing SCEP certificates for your devices with Intune, one of the biggest hurdles that organizations face when transitioning to passwordless authentication is user onboarding. Check out our blog on how to go passwordless in Azure with Azure CBA to learn more about how EZCMS, our passwordless authentication onboarding CMS can work with EZCA to help your organization go fully passwordless. You can also schedule a call to talk to a PKI expert about setting up your own Intune PKI if you want more case-specific information.