EZCA Frequently Asked Questions
EZCA Plans and Pricing
Do I Need a Premium CA to use EZCA with SCEP For Large Environments?
No, you do not need a premium CA for using EZCA with SCEP, even with large deployments. The Basic CA tier provides 3,600 certificates per hour, which is more than enough for any corporate environment doing SCEP issuance. If you are doing an initial rollout of EZCA SCEP certificates and expect to do more than 3,600 certificates we recommend you stagger your rollout gradually. Once you are past the initial rollout phase, the Basic CA tier can easily handle the ongoing certificate issuance needs for SCEP in large environments.
If you are using OCSP (an optional feature), we recommend 1 Basic CA for each 1,000 certificates, as OCSP has a higher load on the CA.
The reason we offer Premium CA with 10x the capacity is for customers that need to issue a large number of certificates for other use cases such as Azure IoT Hub device certificates.
Are There Any Extra Costs for Using EZCA or is it Just the Cost of the CA?
No, there are no extra costs for using EZCA beyond the cost of the CA itself. The monthly cost of the CA includes all the features and capabilities of EZCA, including certificate issuance, management, and revocation.
If I Need a Root CA and an Intermediate CA, Do I Pay for Both?
Yes, you will need to pay for both the Root CA and the Intermediate CA. The reason for this is that we charge for the space in the HSM (Hardware Security Module) that is used to store the private keys for each CA. Each CA requires its own space in the HSM, so you will need to pay for both the Root CA and the Intermediate CA. However, in some scenarios you might get away with just having an Root CA if you are only using your CA for a single purpose.
Can EZCA Replace My On-Premises ADCS PKI?
Yes, EZCA can replace your on-premises ADCS (Active Directory Certificate Services) PKI. EZCA is designed to provide a cloud-native PKI solution that integrates seamlessly with Azure and Microsoft Cloud environments. By migrating to EZCA, you can eliminate the need for on-premises infrastructure, reduce management overhead, and take advantage of the scalability and security features of a cloud-based PKI. However, it’s important to evaluate your specific use cases and requirements to ensure that EZCA meets all your needs before making the transition. You can schedule a call with our PKI experts to help you with the migration planning.
How Long Does it Take to Set Up EZCA?
EZCA is designed to be a quick and easy-to-deploy PKI solution. The setup process typically takes just a few minutes. Once you sign up for EZCA, you can create your first Certificate Authority (CA) and start issuing certificates almost immediately. The user-friendly interface and streamlined setup process allow you to get your PKI up and running quickly, so you can focus on managing your certificates and securing your applications.
Certificate Authorities
Do I Need OCSP?
OCSP (Online Certificate Status Protocol) is used to check the revocation status of certificates in real-time. However, it seems to be on it’s way out, as many modern applications and operating systems are moving towards using CRL (Certificate Revocation List) or shorter certificate lifetimes instead of relying on OCSP. For most use cases, especially with SCEP and device certificates, OCSP is not strictly necessary. However, if you have specific security requirements or compliance needs that mandate real-time revocation checking, then you may want to consider using OCSP.
Can I Export My CA Keys?
No. Due to technical limitations and security reasons, CA private keys cannot be exported from EZCA. The private keys are securely stored in a Hardware Security Module (HSM) to ensure the integrity and security of the CA. This is a standard practice in PKI management to prevent unauthorized access to the CA’s private keys.
Certificates
Why Can’t I See SCEP Certificates in the Certificate Page?
The Certificate page only show server certificates that were issued by you or for a domain you own. If you are looking for certificates issued by others, including SCEP certificates, refer to this guide to learn how to manage and view all your certificates as a PKI administrator.
Can EZCA Issue Certificates for non-Azure Services?
Yes, EZCA can issue certificates for non-Azure services. We have multiple integrations that allow you to use EZCA to issue certificates for a variety of applications and services, regardless of whether they are hosted in Azure or not. For example, you can use EZCA to issue SSL/TLS certificates for your web servers, code signing certificates for your software applications, and client certificates for secure access to your services. Additionally, EZCA supports standard protocols such as SCEP and ACME, which can be used to automate certificate issuance for a wide range of services and platforms.
Domains
An Owner of a Domain Has Left the Company and Didn’t Transfer Ownership. How Can I Recover the Domain?
If the owner of a domain has left the company and did not transfer ownership, you can recover the domain by following the steps outlined in this guide.
Deployments and Hosting
Is There any Infrastructure I Need to Manage for EZCA?
No, EZCA is a fully managed cloud-native PKI solution. This means that Keytos takes care of all the infrastructure management, including server maintenance, software updates, security patches, and backups. You can focus on managing your certificates and PKI policies without worrying about the underlying infrastructure.
Does EZCA require an HSM or an Azure Key Vault?
No, EZCA does not require you to set up or manage your own HSM (Hardware Security Module) or Azure Key Vault. EZCA is a fully managed PKI solution that includes the necessary HSM infrastructure as part of the service. Keytos takes care of all the security and management aspects of the HSM, allowing you to focus on managing your certificates and PKI policies without worrying about the underlying hardware or key management.
Does EZCA Support Multi-Region Deployments?
Yes, EZCA supports multi-region deployments. By default, while you must select a primary region where the HSM is located, EZCA is designed to provide high availability and redundancy across multiple regions. This ensures that your PKI services remain operational even in the event of a regional outage.
How Do I Deploy EZCA for GCC High and DoD?
EZCA is available in GCC High and DoD environments, but is not listed in the Azure Marketplace due to a different hosting model. Instead of a multi-tenant service, we host separate instances in a customer’s own Azure environment. To get EZCA in GCC High or DoD, please contact our sales team at sales@keytos.io.