Keytos Documentation > Passwordless onboarding tool For Azure Unphishable Credentials > How To Manage FIDO2 and SmartCard Settings in Entra ID > How To Enable Phishing Resistant Authentication in Entra ID Domain > How To Issue Entra CBA Smart Cards with ADCS

How To Issue Entra CBA Smart Cards with ADCS

Overview

Having certificate based authentication requires you to have a Certificate Authority that will issue certificates for your smart cards. We recommend using a PKI as a service CA such as our EZCA tool to have a compliant, HSM backed CA without all the management overhead. However, for organizations that require on-premises PKI deployments, EZCMS can connect to your existing windows (ADCS).

Pre-requisites

To establish this connection you are going to need: your ADCS Certificate Authority running on a Windows Server and another windows server that will be used as a certificate agent. CA Agent connection to ADCS

Getting Started

Please note that managing your own Certificate Authority is complex and it can be easy to make mistakes. We recommend using a PKI as a service solution such as EZCA to avoid the complexity of managing your own CA. However if you are using your own CA, please follow the steps below to connect your EZCMS instance to your ADCS CA. Help with this setup is not included in your regular EZCMS Support, if you would like a Keytos engineer to help you setup your ADCS agent, please see our Keytos Professional Services for more information.