How-To: Issue Entra CBA Smart Cards with Azure PKI

Get started with passwordless authentication and start creating smart cards in minutes by connecting EZCMS to EZCA the first Azure Certificate Authority

Prerequisites for Creating Entra CBA Smart Cards with EZCMS and EZCA

  1. EZCA Subscription

Overview

Having certificate based authentication requires you to have a Certificate Authority that will issue certificates for your smart cards. We recommend using a PKI as a service CA such as our EZCA tool to have a compliant, HSM backed CA without all the management overhead.

Getting Started - Creating a Cloud PKI for Entra CBA

  1. Go to https://portal.ezca.io/
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. Cloud CA Menu for Entra CBA Certificates
  4. Click on the “Create CA” Create Cloud PKI for Entra CBA
  5. Select Subordinate/Intermediate CA. Select Subordinate/Intermediate Cloud CA
  6. Click Next

Entering Cloud CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details for Entra CBA Cloud PKI

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility. Crypto Details For Entra CBA

Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching (for now we recommend manually rotating the Certificate Authorities since Entra CBA does not support automatic CA rotation).
  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. EZCA Cloud PKI Create CA step 4 showing validity period, notification email, and lifecycle action settings

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)
  2. Click Next. EZCA Cloud PKI Create CA validity and CRL settings with Next button highlighted

CA Certificate Revocation List Advance Settings

  1. Click the expand button EZCA Cloud PKI Create CA CRL Advanced Settings section with expand button highlighted
  2. Enter the desired CRL Validity Period in days
  3. Enter the desired CRL Overlap Period in hours
  4. (Optional) Enter the CRL endpoint where you will publish your CRLs
  1. Do not Enable OCSP, this is not supported by Entra CBA.
  2. Click Next. EZCA Cloud PKI Create CA validity and CRL settings with Next button highlighted
  3. Change the issuing template to “Smart Card Template”. Smart Card Template for Entra CBA Certificate Issuance
  4. Set the desired smart card certificate lifetime.
  5. In another tab, open your EZCMS instance and in the settings page copy the Subscription ID. EZCMS Passwordless Onboarding Subscription ID
  6. Paste the subscription ID into the “EZCMS Instance ID” field. EZCMS Passwordless Onboarding Subscription ID in EZCA
  7. Click Next.

Select Cloud PKI Location for Entra CBA

  1. Select the location where you want your CA to be created. Create Certificate Authority for Entra CBA

Add Geo-Redundancy to your Cloud PKI for Entra CBA

EZCA Allows you to create multiple CAs across many regions to create Geo-Redundancy.

  1. Click the “Add Secondary Location” Button. Create Secondary Location
  2. Enter the Location information. Create Secondary Location
  3. Add as many locations as needed.

Create Cloud CA for Entra CBA

  1. Click Create. Create CA for Entra CBA

Chaining to EZCA Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location. EZCA Cloud PKI showing Intermediate CA request pending with CSR displayed and Chain to EZCA CA dropdown
  2. If your desired Root CA is an EZCA CA, Select it from the dropdown and click create CA. If you do not have a Root CA, you can create one by following the EZCA Root CA Creation Guide EZCA Cloud PKI CA request showing Chain to EZCA CA dropdown selected with Create CA button highlighted
  3. Repeat these steps for each location.
  4. Your CA is ready to be used!

Chaining to Offline Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location. EZCA Cloud PKI showing Intermediate CA request pending with CSR displayed and Chain to EZCA CA dropdown
  2. Click the “Save CSR” Button. EZCA Cloud PKI CA CSR page showing Save CSR button highlighted and Upload CA Certificate section below
  3. Once the CSR is download, follow your internal guidance to transfer that CSR to your offline Root CA.
  4. Open “Certificate Authority”. Windows Certification Authority MMC console open on desktop
  5. Right click the CA.
  6. Select All Tasks -> Submit new Request. Windows Certification Authority right-click context menu showing Submit new request option highlighted
  7. Select the downloaded CSR. Windows file browser showing CSR file selected for submission to offline root CA
  8. Click on pending requests. Windows Certification Authority showing Pending Requests folder with submitted CSR listed
  9. Right click on the newly created request.
  10. Select All Tasks -> Issue.
  11. Click on Issued Certificates. Windows Certification Authority showing Issued Certificates folder with newly issued certificate
  12. Double click on the newly created certificate. Windows certificate details dialog showing General tab with Certificate Information
  13. Click on Details. Windows certificate dialog with Details tab highlighted
  14. Click on the “Copy ti File…” Button. Windows certificate Details tab showing Copy to File button highlighted
  15. Click next
  16. Select the “Base-64 encoded X.509 (.CER) option. Windows Certificate Export Wizard showing Base-64 encoded X.509 CER format option selected
  17. Click next.
  18. Select where you want to save the newly created certificate. Windows Certificate Export Wizard showing file name and save location with Browse button highlighted
  19. Click next.
  20. Click Finish. Windows Certificate Export Wizard completion screen with Finish button highlighted
  21. This should create a .cer file in the location you selected. Windows Explorer showing exported CA certificate CER file on the desktop
  22. Follow you PKI team’s guidance on transferring the certificate file out of the offline CA into an internet connected computer.
  23. Once you have the certificate in an internet connected computer, go to https://portal.ezca.io/
  24. Login with an account that is registered as a PKI Admin in EZCA.
  25. Navigate to Certificate Authorities. EZCA Cloud PKI Dashboard with Certificate Authorities option highlighted in the navigation menu
  26. Click View details of the CA you want to import the certificate for. EZCA Cloud PKI My CAs page listing certificate authorities with View Details button highlighted
  27. Scroll down to the location you want to import, and click the “Upload CA Certificate” button. EZCA Cloud PKI CA details page showing Upload CA Certificate button highlighted
  28. Select the newly created certificate file. Windows file browser showing exported CA certificate CER file selected for upload
  29. Click on the “Save Certificate” button EZCA Cloud PKI Upload CA Certificate section showing Save Certificate button highlighted
  30. Repeat these steps for each location.
  31. Your CA is ready to be used!

Registering 3rd Certificate Authority with Active Directory

If you are going to use these certificates with Active Directory, you will need to register the CA with Active Directory. the certificates will have all the information required for Smartcard Certificate Authentication in AD, but you will need to register the CA with AD, and ensure that your Domain Controllers have the CA certificate in their Trusted Root Certification Authorities store.

Registering the Root CA with Active Directory

First we are going to going to add the Root CA to the Trusted Root Certification Authorities store on the Domain Controllers. Run the following command an elevated powershell prompt.

certutil.exe -dspublish -f <path to Cloud PKI root CA certificate> RootCA

Registering the Subordinate CA with Active Directory

Next we are going to add the Subordinate CA to the Intermediate Certification Authorities store on the Domain Controllers. Run the following command an elevated powershell prompt.

certutil.exe -dspublish -f <path to Cloud PKI Subordinate CA certificate> SubCA

How to add the Smart Card to the NTAuth Store

Finally, we are going to add the Smart Card template to the NTAuth store. Run the following command an elevated powershell prompt.

certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> NtAuthCa