As many of you who follows the world of Microsoft Intune might now, Microsoft launched a new service called Cloud PKI in the beginning of March, well it was announced in the beginning of February but didn’t show up and available until March (with the 2403 update for Intune I believe).
Today we will dig into what Cloud PKI is and why you should care. We will also take a quick look at how you get started!
Why Cloud PKI?
In the modern world, we are shifting an increasing number of workloads to the cloud, and one thing that has traditionally been left on-premises for endpoint clients has been certificate issuing and PKI. I’m absolutely no PKI guy, and I don’t think most people in the device world are which makes this even more interesting since we can now deploy a root CA with ease from Microsoft Intune.
The Cloud PKI service is part of the Microsoft Suite bundle and provides support for either a cloud-based root and issuing CA or bring-your-own root CA (which is what you need if you are using the CA to authenticate on-premises resources). The Cloud PKI can also be purchased as a stand-alone service outside the Intune Suite.
One thing to keep in mind however, this is a service targeted towards endpoint devices, so you might not be able to do all the things you are doing today with your on-premises PKI infrastructure. However, if you want to go all in cloud and get rid of that on-premises dependency for your endpoints, this is great!
What does it cost?
Like I mentioned, the Cloud PKI service is a part of the Intune Suite, which is priced at $10 per month per user (list price). If you would like to purchase this as a stand-alone service,
You can also active a free trial for 90 days in you tenant to try it out. Do keep in mind that the trial version of Cloud PKI does not use hardward backed HSM, it uses a software HSM.
Keep in mind that Cloud PKI is not the only service of it’s kind, there are others out there like SCEPman which has been a popular service for this in the past.
Getting started!
So how do we create our root CA and issuing CA with the Cloud PKI service in Intune?
Head over to the Intune portal at intune.microsoft.com and navtigate to the Tenant administration blade. In here, you will find a new option called “Cloud PKI” which is where we will create our CA.
As you can see in my environment, I have trial activated so it’s indiacating that it will expire in 78 days. This means that my CA is not backed by a hardware HSM, it uses the software HSM.
To create our first root CA, we simply click on “+ Create” in the ribbon. The first step in the process is to give our root CA a name. Then click Next.
On the next step we will add all the information about our environment and the information needed in the CA. Please be aware that you CANNOT update any information once the CA has been created, so make sure to fill it out correctly.¨
On the first half we will select that we want to create a root CA, how long its valid fore and what it can be used for. In this example I’ve only added a few. Please be aware that what you choose for the root CA is what the issuing CA will have as options for extended key usage.
Next, we will fill out the Subject attributes, where only the common name is a mandatory field, but make sure to fill this out based on your own requirements as you cannot update this later on. Also, you will need to select a key size and algorithm at the bottom based on your requirements.
When we have added all this information, we can just move through the rest of the wizard with the next button and our root CA will be created. Before you create the root CA, make sure to double check your settings on the last step.
You have now successfully created your first root CA using Cloud PKI! Let’s create our issuing CA as well. We basically repeat the steps again, but instead of root CA we will select issuing CA. When you are selecting the Root CA source, you will notice that you can also use bring your own CA which we will not cover in this post.
Fill out the rest of the information based on your requirements and walk through the wizard to create it. Make sure to validate all the information on the last step, since you wont be able to update it afterwards.
We have now created our very first cloud root CA and issuing CA which can be used in e.g. your SCEP profiles.
If we want to use these CAs in our SCEP profiles, the information about the SCEP URI can be found if you click on the CA and go to properties. You will also find a lot of other useful information in there, and also download them to be distributed through Intune or other management tool.
Closing notes
I hope this gave you a brief introduction to how you can get started with Cloud PKI in the Microsoft Intune Suite. We have covered how you create your first root CA and issuing CA.
Happy clicking!
Author
-
Ola Ström is a Microsoft MVP for Windows 365 from Sweden and he is one of the first expert contributors in this community. Make sure to follow him as he guides us in the world of Windows 365 and Microsoft Intune!
View all posts