How-To: Assign Domain Ownership for Certificate Management

EZCA enables full accountability for certificate ownership by assigning owners to each domain registered in EZCA. To register a new domain follow these steps.

Prerequisites

  1. The Keytos application is registered in your tenant
  2. You have an active EZCA plan
  3. You have a Root CA
  4. (optional) You have an Issuing CA

How To Assign Domain Ownership for SSL Certificate Management - Video Version

Overview - How To Distribute SSL Certificate Responsibilities Across Your Organization

To help you run your PKI at scale, domain owners must be set in order to request SSL Certificates. This enables PKI administrators to keep a record of domain ownership, while allowing domain owners to manage approved users or applications that can request certificates for that domain.

How to Register a Domain in EZCA

A domain must be registered in EZCA before SSL certificates can be requested for that domain. Follow these steps to register a domain:

  1. Go to https://portal.ezca.io/

  2. Navigate to Domains.

    EZCA Cloud PKI portal My Domains page listing registered domains with Request Certificate buttons

  3. Click on + Register Domain.

    EZCA Cloud PKI My Domains page with Register Domain button highlighted in the top right

  4. From the Issuing CA dropdown, select the Issuing CA that will issue certificates for this domain.

    EZCA Cloud PKI Register New Domain form with Issuing CA dropdown highlighted for selection

  5. In the Domain Name field, enter the domain name or IP address you want to register.

    EZCA Cloud PKI Register New Domain form with Domain name field highlighted for entering the domain

  6. In the Domain Owners field, enter the user(s) and/or group(s) that will act as the Domain Owner. Domain owners manage can make changes to the Domain and can manage who can request certificates for this domain.

    EZCA Cloud PKI Register New Domain form with Domain Owners list showing added users and groups

  7. In the Domain Requesters field, enter the user(s), group(s), and Entra ID application(s) that will be allowed to request certificates for this domain.

    EZCA Cloud PKI Register New Domain form with Domain Requesters list showing added users and service principals

  8. Click the Register Domain button.

    EZCA Cloud PKI Register New Domain form with Register Domain button highlighted to complete domain registration

  9. Now that the domain is registered, create your first certificate

How Does Domain Registration Approval Work?

If domain registration approval is set in CA, a domain creation request will be sent to the approvers for them to approve. Dual key approval is enforced, meaning that if you are an approver, someone else will have to approve your request.

Additional Guides

How-To: Restore Access to an Orphaned Domain

If a domain owner leaves your organization without transferring domain ownership, the domain becomes orphaned. This guide provides steps to restore access to an orphaned domain in EZCA.