The need for robust, scalable, and cost-effective security solutions is now more relevant than ever. An innovation that addresses these needs is the Microsoft Cloud Public Key Infrastructure (PKI) within the Intune Suite. It is a powerful tool designed to simplify and enhance the management of certificate authorities (CAs) and the lifecycle of certificates.
What is Microsoft Cloud PKI?
Microsoft Cloud PKI in the Intune Suite is crafted to streamline the traditionally complex and expensive process of managing PKI. It allows system administrators (SysAdmins) to create, revoke, and manage certificates directly through Intune, eliminating the need for cumbersome on-premise PKI infrastructure. This approach not only reduces costs but also simplifies the administrative overhead.
Certificates are crucial for authentication, providing a secure and seamless experience for users. By verifying user identity through trusted certificates, businesses can enhance security and trust within their IT ecosystems.
Watch Microsoft’s Steven DeQuincey and Dave Chomas team up with Mobile Mentor’s Denis O’Shea and Neil Misak to explain and demo Cloud PKI in the Intune Suite.
Deployment Models: Greenfield and Brownfield
Deploying Microsoft Cloud PKI within the Intune Suite can follow two primary models: Greenfield and Brownfield.
Greenfield: Creating a New Certificate Authority
The Greenfield model involves creating a new certificate authority (CA) within Intune. Here’s a step-by-step overview of the process:
- 1
Root CA Deployment: The Cloud PKI root certificate needs to be distributed to all relying parties.
- 2
Certificate Discovery: If an issuing CA certificate is missing on a relying party, it can be automatically retrieved and installed via the certificate chaining engine (CCE). This ensures that a trust chain is established by retrieving any missing parent certificates.
- 3
Trust Chain Deployment: Deploy the Cloud PKI certificate trust chain, comprising root and issuing CA public keys, to all relying parties. This step ensures comprehensive trust across the infrastructure.
- 4
System Limitation: There is a limitation of six Certification Authorities, each with its own Simple Certificate Enrollment Protocol (SCEP). RSA key or hash algorithms can also be used.
Brownfield: Leveraging Existing Certificate Authorities
The Brownfield model allows businesses to use their existing CAs and issue certificates to devices through Intune. Here’s how it works:
- 1
BYOCA Deployment: Intune-managed devices need specific CA certificates, including the private CA trust chain (root and issuing CA certificates responsible for signing the BYOCA Certificate Signing Request (CSR)) and the BYOCA-issuing CA certificate.
- 2
Trusted Chain Deployment: For the Cloud PKI BYOCA issuing CA using a private root CA, the trusted chain of private CA certificates (root CA and issuing CA) should already be deployed across the infrastructure.
Scope and Maturity
Microsoft Cloud PKI is a mature solution, with Microsoft issuing thousands of new certificate authorities and tens of thousands of certificates each month. This high adoption rate underscores the reliability and effectiveness of the Cloud PKI solution within the Intune Suite.
Enhancing Endpoint Management Strategy
Integrating Cloud PKI with your endpoint management strategy offers several key benefits:
Conclusion
Microsoft Cloud PKI in the Intune Suite is a game-changer for businesses looking to enhance their certificate management processes. By offering both Greenfield and Brownfield deployment models, it provides flexibility and efficiency, making it an indispensable tool for modern endpoint management strategies.