As we’ve previously written about, TONS of people within the Cloud Security community are up-in-arms about how underwhelming Microsoft’s announcement about the Intune Cloud PKI a few weeks ago was. If you hadn’t heard (check the video below), it lacks what many consider to be the fundamental aspects of PKI such as non-Intune SCEP, OCSP, ACME, Smartcard Distribution, AKV Cert rotation, and IoT Hub integration – just to name a few. You’d imagine that a tool with so many obvious shortcomings would be reasonably priced, right? Nope. The final tipping point for most people was the price tag of $2/user, which seems like highway robbery to most everyone that has been bootstrapping PKI due to Microsoft’s ineptitude over the past however-many years. To put things in perspective, this would be like entering a 1st grader into the NBA draft, trying to pass it off as a top-tier prospect, and demanding a record-high contract.
PKI practitioners have grown accustomed to working with 3rd party PKI tools in recent history, so finding the best alternative for Microsoft Cloud PKI is nothing new. In the following we’ll take a look at EZCA, SCEPMan, and KeyFactor’s EJBCA as viable alternatives while weighing the pros and cons.
The clear frontrunner here is Keytos’ EZCA, the Azure PKI. Quite literally built by former Microsoft Engineers to address these exact problems (cough, cough…) EZCA removes the complexities of managing PKI while maintaining the most sophisticated means of certificate security. Here’s some of the reasons why you’re going to love it…
Native Azure Integration: EZCA is the first and only cloud-based PKI Solution that was designed to be Azure-native, in Azure by ex-Microsoft engineers. This makes EZCA feel like an extension of Azure; no need to think about managing your own: Hardware Security Modules (HSMs), Certificate Revocation Lists (CRLs), OCSP, CA Availability, certificate lifecycle or any daunting task involved in running your own PKI.
Easy Setup in the Marketplace: As a Microsoft partner we are proud to offer EZCA in the Azure Marketplace enabling Azure customers to quickly and securely setup their Azure cloud-based PKI straight form the Azure portal.
Intune SCEP Certificate Authority Connection: Manage your organization’s devices without the need to have an on-premises domain. With EZCA, you can easily create an Azure based certificate authority for Intune and issue SCEP certificates without the overhead of managing an ADCS and Intune SCEP connector instance.
Azure Key Vault Integration: While EZCA offers many automatic certificate issuance protocols such as SCEP and ACME, one of the most used features is our one-click Azure Key Vault certificate creation and management integration.
Automatic Application Certificate Rotation: We are proud to say EZCA is the only PKIaaS that offers automatic AAD Application Certificate Rotation.
Sentinel Integration: As a Microsoft Security partner, all Keytos tools send all security logs to Azure Sentinel allowing you to have a single pane of glass where your SOC team can monitor your infrastructure and detect anomalies.
As you can plainly see, EZCA’s multitude of features and native integrations have made it the go-to choice for many within the security community who are looking for a robust solution at a reasonable price. Is that too much to ask for? We think not! Don’t believe us? GOOD! This is the era of zero-trust! …but you can check out the EZCA pricing right here, or learn more about how it works, if you’re interested.
Admittedly, the SCEPMan alternative to Microsoft’s Intune Cloud PKI can get the job done and has been doing so for quite some time now. Which is an interesting point, because the tech seems to not have been updated since it was built. It is relatively cost effective in the grand scheme of things, but it does have a few noticeable shortcomings. It is limited exclusively to SCEP and doesn’t support ACME, doesn’t support smart cards, and more. …I think you can see why this could be an issue. Also, the lack of integration with Azure poses challenges for organizations deeply integrated with Azure services. Finally, you’re required to manage infrastructure which complicates implementation and ongoing maintenance.
If you need really expensive, legacy, on-prem stuff, then KeyFactor’s EJBCA to might be for you! It’s on the wildly high side of the pricing spectrum, and the complexity of its implementation and maintenance adds to its challenges, requiring substantial resources and expertise. Additionally, KeyFactor’s limited integration capabilities with Azure, especially in areas like Azure IoT, AAD App Rotation, or AKV automatic rotation, restrict its functionality for businesses seeking comprehensive Azure ecosystem compatibility. These factors combined can make KeyFactor a less than ideal solution for certain organizational needs.
Finding the right alternative for Microsoft’s Intune Cloud PKI is all about Integrating third-party PKI tools into your organizational security infrastructure. It’s not just a recommendation anymore—it’s a necessity. By tapping into these tools, organizations can streamline certificate operations, elevate their security stance, and seamlessly align with modern security benchmarks. If you’re contemplating setting up a Certificate Authority, chat with our Identity Experts, and learn more about how to modernize your PKI today!