How-To: Assign Domain Ownership for Certificate Management

EZCA enables full accountability for certificate ownership by assigning owners to each domain registered in EZCA. To register a new domain follow these steps.

Prerequisites

  1. The Keytos application is registered in your tenant
  2. You have an active EZCA plan
  3. You have a Root CA
  4. (optional) You have an Issuing CA

How To Assign Domain Ownership for SSL Certificate Management - Video Version

Overview - How To Distribute SSL Certificate Responsibilities Across Your Organization

To help you run your PKI at scale, domain owners must be set in order to request SSL Certificates. This enables PKI administrators to keep a record of domain ownership, while allowing domain owners to manage approved users or applications that can request certificates for that domain.

How to Register a Domain in EZCA

A domain must be registered in EZCA before SSL certificates can be requested for that domain. Follow these steps to register a domain:

  1. Go to https://portal.ezca.io/

  2. Navigate to Domains.

    Domains Menu

  3. Click on + Register Domain.

    Domains Menu

  4. From the Issuing CA dropdown, select the Issuing CA that will issue certificates for this domain.

    Registering New Domain

  5. In the Domain Name field, enter the domain name or IP address you want to register.

    Registering New Domain

  6. In the Domain Owners field, enter the user(s) and/or group(s) that will act as the Domain Owner. Domain owners manage can make changes to the Domain and can manage who can request certificates for this domain.

    Registering New Domain

  7. In the Domain Requesters field, enter the user(s), group(s), and Entra ID application(s) that will be allowed to request certificates for this domain.

    Registering New Domain

  8. Click the Register Domain button.

    Registering New Domain

  9. Now that the domain is registered, create your first certificate

How Does Domain Registration Approval Work?

If domain registration approval is set in CA, a domain creation request will be sent to the approvers for them to approve. Dual key approval is enforced, meaning that if you are an approver, someone else will have to approve your request.

Additional Guides

How-To: Restore Access to an Orphaned Domain

If a domain owner leaves your organization without transferring domain ownership, the domain becomes orphaned. This guide provides steps to restore access to an orphaned domain in EZCA.