How-To: Create Server Certificates with SCEP Cloud CA

Introduction - How to Create a Server Certificate with Cloud PKI

While EZCA SCEP CAs typically issue user and/or device certificates through an MDM solution such as Intune or Jamf, you can also use it to create server certificates for your network controllers or other servers that require certificate authentication, such as RADIUS servers, VPN servers, and web servers. This saves you from needing to deploy a second SSL CA or running ADCS (Active Directory Certificate Services) to issue server certificates.

Follow the instructions below to learn how to create server certificates with your EZCA SCEP CA.

When Should I Create an SSL CA in Addition to my SCEP CA, vs Using Server Certificates in my SCEP CA?

One of the most common questions we get is when to create a separate SSL CA in addition to the SCEP CA, vs. just using server certificates in the SCEP CA. It comes down to a simple question: Will your server certificates be issued by the PKI administrators only? Or will you also have other users (such as help desk or other IT staff) that will also need to issue server certificates?

• If only PKI administrators will issue server certificates, you can use the SCEP CA for both SCEP and server certificates.
• If other users (such as help desk or other IT staff) will also need to issue server certificates, we recommend creating a separate SSL CA for server certificates. This will allow you to have more granular control over who can issue server certificates and will also help you prevent a user or device impersonation by someone creating a “Server Certificate” with the identity of a user or device.

Prerequisites for Issuing Server Certificates with a SCEP CA

Before you can create server certificates with your SCEP CA, make sure you have the following prerequisites in place:

1. You have created an EZCA SCEP CA. By default, SCEP CAs will have a limited set of required EKUs. However, if you need additional EKUs, please make sure you have added the KDC Authentication, Smart Card Logon, Client Authentication, and Server Authentication EKUs during the CA creation process.
2. You are a PKI Admin of your EZCA subscription. Only PKI Admins can create server certificates in a SCEP CA.

How to Create a Server Certificate in a SCEP Cloud CA

The following steps will guide you through the process of creating a server certificate with your EZCA SCEP CA:

1. Navigate to the EZCA portal (If you have your private instance, or using our localized EZCA portals go to that specific portal)

2. Login with an account that is registered as a PKI Admin in EZCA.

3. From the left-hand menu, select Certificate Authorities.

   

4. Select the View Requirements button for your CA

   

5. Select the Request Certificate as Administrator Button

   

6. Enter the Subject Name in format CN=server1.contoso.com OU=Your OU DC=contoso DC=com

7. Enter your host name as a DNS Name.

8. Select the Validity Period of your certificate.

9. Under Certificate Location select whether you want to Generate Locally to create the certificate and private key directly in the browser, or Import CSR if you want to generate the certificate signing request and private key on your server and just use the portal to sign the CSR.

10. Click Request Certificate to issue the certificate.

    

11. Download an install the certificate on your server or network controller.

How to Set Your Server Certificate for Automatic Rotation

Once you have created your server certificate in EZCA, you can optionally use the EZCA Certificate Renewal Client to automatically renew the certificate before it expires. To do this, you can create a scheduled task that runs the following command:

.\EZCACertManager.exe renew -s \"CN=server1.contoso.com\" --LocalStore 

If you have multiple certificates with the same subject name we recommend using the Issuer name or template name to specify the certificate you want to renew.