Contact Us

How to Create an Azure-Based CA for Intune

How to create Intune SCEP Certificate Authority In Azure
31 Jan 2023

Create an Azure Based Certificate Authority for Intune In Minutes with EZCA

For many years, users have been asking for an Azure based PKI that can issue SCEP certificates for Intune. Today we are happy to announce that our Azure based CA can now issue SCEP certificates for Intune.

With this integration, organizations can now use passwordless authentication for their Virtual Private Network (VPN), network infrastructure, and more, without the need for a large on-premises infrastructure. This includes eliminating the need for domain controllers, certificate authorities, hardware security modules (HSMs), certificate revocation list (CRL) servers, and SCEP servers.

Intune SCEP Connection Diagram

By leveraging Keytos’s Azure-based PKI solution, organizations can now easily and securely issue and manage SCEP certificates for Intune, without the need for a large team to maintain and manage their infrastructure. This aligns with Keytos and Microsoft’s shared vision of allowing organizations to go fully passwordless in a cloud-only environment, democratizing cybersecurity by lowering the barriers of entry and enabling organizations to have a secure and compliant infrastructure without the need for a large team to maintain it.


What is SCEP?

Before we get started we must understand what is Simple Certificate Enrollment Protocol (SCEP). SCEP is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.

Completely Replace Your ADCS with a Cloud-Based CA

EZCA completely replaces your on premises ADCS CA by allowing you to achieve all the functions that your legacy CA did, without needing to worry about the maintenance and upkeep that it takes to run a highly available PKI. In addition to Intune SCEP certificates, EZCA can issue the following certificate types:

Domain Controller Certificates for Hello For Business Hybrid

One of the key components of passwordless authentication and any modern IT stack is Windows Hello for Business. It gives users a convenient passwordless way to authenticate to corporate resources. EZCA creates the domain controller certificates required for Hybrid Key Trust Hello For Business deployment.

Regular SSL Certificates for Internal Sites and Service to Service Authentication

When EZCA was created, the main goal was to help organizations automate the issuance of SSL certificates for all scenarios. We do this via Azure Integrations in addition to enabling other modern certificate issuance methods such as local ACME enabling your engineers to use the tools they are familiar with for certificate lifecycle automation.

Smart Card Certificates

If you are looking at issuing SCEP certificates to intune devices, you are also probably looking at other passwordless authentication methods such as Smart Cards, authentication with Azure CBA, and perhaps even FIDO2 keys. EZCA connects to EZCMS, the first fully passwordless authentication onboarding tool for Azure.

Getting Started

We bet you are as excited as we are for this new integration, so we wanted to share with you the necessary steps to get your Intune SCEP certificate distribution up and running:

1) Register the Keytos Application in your Tenant & Register the EZCA Intune Application in your Tenant This will allow EZCA to authenticate your users and check the certificate request status in Intune to issue certificates to your Intune Managed devices.

2) Create your EZCA Instance In Azure.

3) Once you have your EZCA instance you are ready to create your Intune CA.

4) Finally create your Intune device profiles and start issuing secure certificates to your user’s devices.

How Intune Issues SCEP Certificates using an Azure CA

Secure and Complaint

At the heart of any reliable identity management system lies security and compliance. That’s why we take these pillars seriously. While it may be easy to set up and connect EZCA to Intune, you can rest assured that we take the necessary steps to secure our infrastructure and meet and exceed worldwide regulatory compliance standards. With EZCA, you can trust that your Azure PKI is being run as a world class PKI with the highest level of security and compliance.

Keytos Is Here For Your Passwordless Journey

Modernize All Your PKI with EZCA

While in this blog we only talk about the new Intune integration, EZCA also offers other features that make it the best PKI solution for Azure customers such as: Our Automatic Azure Application Certificate rotation with Key vault, Azure IoT (Internet of Things) one click integration, ADCS CA management, and local ACME integration.

Full Passwordless Authentication With FIDO2, SmartCard and Phone Authentication

Our main goal at Keytos is to help organizations go fully passwordless, while we just saw how EZCA can help you by issuing SCEP certificates for your devices with Intune, one of the biggest hurdles for passwordless authentication is user onboarding. Learn how EZSmartCard can work with EZCA to help organizations go fully passwordless

Let Us Help

If you would like to learn more or talk to a PKI expert about setting up your own Intune CA, you can Talk to a PKI expert for FREE. We are here to help you on your passwordless journey, and ensure that your PKI is set up properly and securely.

Get a Free PKI Assessment

Talk to one of identity experts on how EZCA can reduce your IT cost, while improving your user productivity and security. Schedule Free Assessment


You Might Also Want to Read