EZCA Frequently Asked Questions

Find answers to the most frequently asked questions about Keytos EZCA, the leading cloud-native PKI (Certificate Authority) built for Azure and Microsoft Cloud environments.

EZCA Plans and Pricing

How Am I Billed for EZCA?

Only your Certificate Authorities (CAs) are billed in EZCA at a flat fee per month. Once you create a CA, you can create unlimited certificates (within the rate limits of your CA tier) at no additional cost. There are no additional costs for features such as SCEP, ACME, OCSP, or CRL hosting. All these features are included in the monthly cost of the CA. The only time you will incur additional costs is if you create multiple CAs or geo-redundant CAs in different regions, as those are separate CAs that each have their own monthly cost.

For example, if you have a Basic Root CA and a Basic SCEP Issuing CA, you will be billed for 2 CAs each month. However, you can issue unlimited certificates from both CAs without any additional costs.

Do EZCA Subscriptions Cost Anything or Include Any CAs?

No, EZCA subscriptions are free to create and do not include any CAs. You only pay for the CAs that you create within your EZCA subscription. This allows you to create an EZCA subscription without any upfront costs and only pay for the CAs that you actually use each month. Only the CAs incur a monthly cost based on their tier (Basic or Premium) and the number of CAs you create.

Do I Need a Premium CA to use EZCA with SCEP For Large Environments?

No, you do not need a premium CA for using EZCA with SCEP, even with large deployments. The Basic CA tier provides 3,600 certificates per hour, which is more than enough for any corporate environment doing SCEP issuance. If you are doing an initial rollout of EZCA SCEP certificates and expect to do more than 3,600 certificates we recommend you stagger your rollout gradually. Once you are past the initial rollout phase, the Basic CA tier can easily handle the ongoing certificate issuance needs for SCEP in large environments.

If you are using OCSP (an optional feature), we recommend 1 Basic CA for each 1,000 certificates, as OCSP has a higher load on the CA.

The reason we offer Premium CA with 10x the capacity is for customers that need to issue a large number of certificates for other use cases such as Azure IoT Hub device certificates.

Are There Any Extra Costs for Using EZCA or is it Just the Cost of the CA?

No, there are no extra costs for using EZCA beyond the cost of the CA itself. The monthly cost of the CA includes all the features and capabilities of EZCA, including certificate issuance, management, and revocation.

If I Need a Root CA and an Intermediate CA, Do I Pay for Both?

Yes, you will need to pay for both the Root CA and the Intermediate CA. The reason for this is that we charge for the space in the HSM (Hardware Security Module) that is used to store the private keys for each CA. Each CA requires its own space in the HSM, so you will need to pay for both the Root CA and the Intermediate CA. However, in some scenarios you might get away with just having an Root CA if you are only using your CA for a single purpose.

Can EZCA Replace My On-Premises ADCS PKI?

Yes, EZCA can replace your on-premises ADCS (Active Directory Certificate Services) PKI. EZCA is designed to provide a cloud-native PKI solution that integrates seamlessly with Azure and Microsoft Cloud environments. By migrating to EZCA, you can eliminate the need for on-premises infrastructure, reduce management overhead, and take advantage of the scalability and security features of a cloud-based PKI. However, it’s important to evaluate your specific use cases and requirements to ensure that EZCA meets all your needs before making the transition. You can schedule a call with our PKI experts to help you with the migration planning.

How Long Does it Take to Set Up EZCA?

EZCA is designed to be a quick and easy-to-deploy PKI solution. The setup process typically takes just a few minutes. Once you sign up for EZCA, you can create your first Certificate Authority (CA) and start issuing certificates almost immediately. The user-friendly interface and streamlined setup process allow you to get your PKI up and running quickly, so you can focus on managing your certificates and securing your applications.

Certificate Authorities

Do I Need OCSP?

OCSP (Online Certificate Status Protocol) is used to check the revocation status of certificates in real-time. However, it seems to be on it’s way out, as many modern applications and operating systems are moving towards using CRL (Certificate Revocation List) or shorter certificate lifetimes instead of relying on OCSP. For most use cases, especially with SCEP and device certificates, OCSP is not strictly necessary. However, if you have specific security requirements or compliance needs that mandate real-time revocation checking, then you may want to consider using OCSP. Refer to these guides on how to enable OCSP in Root CAs, Issuing SSL CAs, and SCEP CAs.

Can I Enable OCSP After Creating My CA?

No, OCSP must be enabled at the time of CA creation. If you did not enable OCSP when you created your CA, you will need to create a new CA with OCSP enabled. This is because OCSP settings are part of the CA’s configuration and cannot be changed after the CA has been created.

Can I Export My CA Keys?

No. Due to technical limitations and security reasons, CA private keys cannot be exported from EZCA. The private keys are securely stored in a Hardware Security Module (HSM) to ensure the integrity and security of the CA. This is a standard practice in PKI management to prevent unauthorized access to the CA’s private keys.

Can I Move My CA To Another EZCA Subscription?

Yes, to move your EZCA certificate authority (CA) from one subscription to another please contact Keytos support to begin the migration process. In most cases it will be a seamless migration, but we help walk you through a quick checklist to ensure there is no impact to billing, access control, and notifications.

Can I Issue SSL or Server Certificates from a SCEP CA?

Only PKI Administrators can issue SSL and server certificates from a SCEP CA in EZCA through the Request Certificate as Administrator interface. This is due to the risk of impersonation attacks where a user could issue an SSL certificate with a SCEP Device ID or UPN of another user and use it for authentication. To prevent these impersonation attacks, we only allow PKI Administrators to issue SSL certificates from SCEP CAs. This ensures PKI Administrators can only issue a small number of SSL or server certificates for specific use cases, such as internal services or testing environments.

For large scale or self-service SSL and server certificate issuance, it is recommended to create a dedicated SSL Issuing CA. The Certificate and Domain management interfaces in EZCA require an SSL CA Template for your users to request SSL certificates directly and will not work with SCEP CAs.

Additionally, KB5014754 introduced new requirements for SSL/TLS certificates used in Windows environments and may impact the use of SCEP CAs for SSL certificate issuance.

Can I Use a SCEP Template and an SSL Template on the Same CA?

No, in EZCA, each Certificate Authority (CA) can only have one type of template associated with it. This means that if you create a CA with a SCEP template, you cannot also use an SSL template on the same CA, and vice versa.

This design reduces impersonation attacks where a user could issue an SSL certificate with a SCEP Device ID or UPN of another user and use it for authentication. To prevent these impersonation attacks, we separate SCEP and SSL templates onto different CAs which can separately be trusted by different systems.

If you need to issue both SCEP certificates and SSL certificates, it is recommended to create separate CAs for each template type. This allows you to manage and issue certificates according to their specific use cases and requirements.

However, if you need to issue a small number of SSL certificates from a SCEP CA, PKI Administrators can do so through the Request Certificate as Administrator interface.

Can I Enable Wildcard Certificates on My Issuing CA?

Yes, but only at CA creation time. When creating an Issuing CA in EZCA, you have the option to enable wildcard certificate issuance. This allows the CA to issue wildcard certificates (e.g., *.example.com) for your domains. However, once the CA is created, this setting cannot be changed. If you need to enable or disable wildcard certificate issuance after the CA has been created, you will need to create a new Issuing CA with the desired settings.

This is done to ensure the security and integrity of the CA’s configuration, as allowing changes to wildcard issuance could potentially lead to security vulnerabilities or misconfigurations that could lead to unauthorized certificate issuance or outages.

Certificates

Why Can’t I See SCEP Certificates in the Certificate Page?

The Certificate page only show server certificates that were issued by you or for a domain you own. If you are looking for certificates issued by others, including SCEP certificates, refer to this guide to learn how to manage and view all your certificates as a PKI administrator.

Can EZCA Issue Certificates for non-Azure Services?

Yes, EZCA can issue certificates for non-Azure services. We have multiple integrations that allow you to use EZCA to issue certificates for a variety of applications and services, regardless of whether they are hosted in Azure or not. For example, you can use EZCA to issue SSL/TLS certificates for your web servers, code signing certificates for your software applications, and client certificates for secure access to your services. Additionally, EZCA supports standard protocols such as SCEP and ACME, which can be used to automate certificate issuance for a wide range of services and platforms.

Domains

An Owner of a Domain Has Left the Company and Didn’t Transfer Ownership. How Can I Recover the Domain?

If the owner of a domain has left the company and did not transfer ownership, you can recover the domain by following the steps outlined in this guide.

Deployments and Hosting

Is There any Infrastructure I Need to Manage for EZCA?

No, EZCA is a fully managed cloud-native PKI solution. This means that Keytos takes care of all the infrastructure management, including server maintenance, software updates, security patches, and backups. You can focus on managing your certificates and PKI policies without worrying about the underlying infrastructure.

Does EZCA require an HSM or an Azure Key Vault?

No, EZCA does not require you to set up or manage your own HSM (Hardware Security Module) or Azure Key Vault. EZCA is a fully managed PKI solution that includes the necessary HSM infrastructure as part of the service. Keytos takes care of all the security and management aspects of the HSM, allowing you to focus on managing your certificates and PKI policies without worrying about the underlying hardware or key management.

Does EZCA Support Multi-Region Deployments?

Yes, EZCA supports multi-region deployments. By default, while you must select a primary region where the HSM is located, EZCA is designed to provide high availability and redundancy across multiple regions. This ensures that your PKI services remain operational even in the event of a regional outage.

How Do I Deploy EZCA for GCC High and DoD?

EZCA is available in GCC High and DoD environments, but is not listed in the Azure Marketplace due to a different hosting model. Instead of a multi-tenant service, we host separate instances in a customer’s own Azure environment. To get EZCA in GCC High or DoD, please contact our sales team at sales@keytos.io.

What is EZCA’s CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs?

EZCA’s CRL Distribution Point (CDP) and Authority Information Access (AIA) URLs are hosted on Keytos’ global CDN to ensure high availability and low latency access. Each CA will create unique URLs for CRL and AIA that are specific to that CA. You can find the CRL URL by navigating to your CA in the EZCA portal and clicking View Details. Additionally, you can also find the CRL and AIA URLs in the issued certificates themselves.

Can I Host My Own Local or Private Instance of EZCA?

EZCA offers a Private Infrastructure deployment option for enterprise customers who require a dedicated and private instance of EZCA. Please reach out to our sales team to discuss advanced hosting options.

Is there a Local Proxy for EZCA?

We do not have a local proxy for EZCA at this time. If you are looking to add redundancy to your PKI infrastructure, we recommend creating geo-redundant CAs in different regions. This allows you to have multiple CAs that can issue certificates independently, providing high availability and resilience for your PKI services.

Compliance and Security

Is EZCA SOC 2 Type 2 Compliant?

Yes, Keytos and EZCA are SOC 2 Type 2 compliant, and we have successfully completed the SOC 2 Type 2 audit. This means that we have implemented and maintained effective controls to ensure the security, availability, processing integrity, confidentiality, and privacy of our systems and data.

Copies of our SOC 2 Type 2 report are available within your EZCA portal under the Trust Center section. If you have any questions or need further information about our compliance, please contact our support team.

Is EZCA ISO 27001 Certified?

Yes, Keytos and EZCA are ISO 27001 certified, demonstrating our commitment to maintaining a robust information security management system (ISMS). This certification ensures that we follow best practices for managing sensitive information and protecting our customers’ data.

Copies of our ISO 27001 certificate are available within your EZCA portal under the Trust Center section. If you have any questions or need further information about our certification, please contact our support team.

Help and Support

How Can I Get Support for EZCA?

If you need support for EZCA, there are several options available to you:

  • EZCA Documentation: Our comprehensive documentation provides detailed guides, troubleshooting steps, and best practices for using EZCA. You can access the documentation here.
  • EZCA Portal: Log in to your EZCA portal to access support resources, including the ability to submit support tickets directly to our team. Subscriptions with Premium Support also have access to a dedicated support line for faster response times.
  • Email Support: You can reach out to our support team via email at support@keytos.io.
  • Real-Time Chat: For immediate assistance, you can use the real-time chat feature available on our website. We have an AI Agent trained specifically on EZCA to help answer your questions and troubleshoot any issues you may encounter, but you can also escalate to a live support agent at any time if you need more in-depth assistance.
  • Professional Services: For help integrating EZCA into your network or for more complex troubleshooting, we offer a paid Professional Services package that pairs you with an identity expert for tailored assistance. Email our sales team at sales@keytos.io to inquire about a Deployment Consultation or to learn more about our Professional Services offerings.