Cloud PKI in Intune: The Future of Secure Certificate Management

This blog dives deep into the recently launched Cloud PKI, a game-changer for simplifying and automating certificate management within your Intune environment.

Farewell, On-Premises PKI!

For years, managing on-premises Public Key Infrastructures (PKI) meant juggling complex configurations, laborious manual tasks, and hefty infrastructure costs. Enter Cloud PKI, a game-changer recently integrated within Intune. This cloud-based service streamlines and automates certificate management, freeing up valuable resources and enhancing security not limited to:

Cloud-native experience: Eliminate the need for on-premises servers, reducing deployment time and simplifying ongoing maintenance.
Unified management console: Manage certificates and devices from a single pane of glass within the familiar Intune interface, enhancing efficiency and reducing context switching.
Automated lifecycle management: Streamline certificate issuance, renewal, and revocation, freeing up valuable IT resources for higher-level tasks.

This guide delves into the advanced integration of Cloud PKI with Intune, aimed at empowering Intune administrators with the knowledge to implement a more secure and efficient management environment.

Deploying Cloud PKI in Microsoft Intune

Deploying Cloud PKI within Microsoft Intune involves a strategic process aimed at enhancing device management and security across your organization. This deployment enables secure communication, authentication, and encryption for devices managed by Intune. Here's a comprehensive breakdown of the deployment process.

Understanding Cloud PKI in Microsoft Intune

Before diving into deployment, it's crucial to grasp what Cloud PKI entails. It is a cloud-based public key infrastructure that simplifies certificate management without the need for extensive on-premises infrastructure. It's ideal for securing communications between your devices and the resources accessed by them.

Planning Your Deployment

Identify Certificate Requirements: Determine the types of certificates your organization needs, such as SSL/TLS, email encryption, and device authentication.
Evaluate Trust Levels: Consider the trust level required for your certificates. Higher trust levels may necessitate a more complex PKI infrastructure.

Choosing a PKI Model

Microsoft-Managed vs. BYOCA: Decide whether to use Microsoft Cloud PKI or to bring your own CA. Each option has its benefits, with Microsoft-managed offering simplicity and BYOCA offering greater control.

Step 1: Create root CA in admin center

Integrating the Microsoft Cloud PKI with Microsoft Intune simplifies the certificate management process, making it an attractive option for organizations looking to deploy Cloud PKI. This approach leverages Microsoft's infrastructure to issue and manage certificates, reducing the complexity and maintenance overhead for your organization. Here's how to get started with configuring the Microsoft Cloud PKI in Intune:

Sign in to the Microsoft Intune admin center.
Go to Tenant administration > Cloud PKI, and then select Create.

For Basics, enter the Name and description for the CA object.

Configure the following settings for the root CA:
- CA type: Select Root CA.

Validity period: Select 5, 10, 15, 20, or 25 years.

If you want to create a root CA with a custom validity period then you can use Microsoft Graph API to create the CAs.
For Extended Key Usages, select how you intend to use the CA.

Under Subject attributes enter a Common name (CN) & other properties for the root CA.

Under Encryption, enter the Key size and algorithm and click Next.

When you're ready to finalize everything, select Create.

💡

You won't be able to edit these properties after you create the CA. If needed, select Back to edit the settings and ensure they're correct and satisfy your PKI requirements. If later you need to add another EKU, you must create a new CA.

Step 2: Create Issuing CA in admin center

For Intune-managed devices, certificates must be issued by an issuing CA. A SCEP service that serves as a certificate registration authority is automatically provided by Cloud PKI. Using a SCEP profile, it makes certifications requests on behalf of Intune-managed devices to the issuing CA.

Return to Tenant administration > Cloud PKI.
Enter a Name and optional Description for so you can distinguish this CA from others in your tenant.

Select Next to continue to Configuration settings.
Select the CA type and root CA source.

For root CA source: Select Intune

Select the required validity period.

For Extended Key Usages, select how you intend to use the CA.

Under Subject attributes enter a Common name (CN) and other properties for the issuing CA.

Review and create.

Step 3: Download the certificates

You need the public keys for both issuing and root CA certificates in order to build the trusted certificate profile needed for Cloud PKI. When requesting a certificate using SCEP certificate profiles, the public keys create a chain of trust between Intune managed devices and Cloud PKI. To download the public keys for these certificates, select Download.

For the root CA:

Sign in to the Microsoft Intune admin center.
Go to Tenant administration > Cloud PKI.
Select a CA that has a root type.
Go to Properties.
Select Download. Wait while the public key downloads.

For the issuing CA:

Return to your Cloud PKI list.
Select a CA that has an issuing type.
Go to Properties.
Select Download. Wait while the public key downloads.

Step 4: Create the trusted certificate profile

Create one trusted certificate profile for the root CA certificate and one for the issuing CA.

Sign in to the Microsoft Intune admin center.
Select and go to Devices > Configuration > Create.
Enter the following properties:
- Platform: Choose the platform of the devices that will receive this profile.
- Profile: Depending on your chosen platform, select Trusted certificate or select Templates > Trusted certificate.
Select Create.

In Configuration settings, specify the .cer file for the trusted Root CA Certificate you previously exported.

Select Next & assign the profile.

Step 5: Create the SCEP certificate profile

For every OS platform you intend to target, create a SCEP certificate profile, just as you did for the trusted certificate profiles. To obtain a leaf client authentication certificate from the issuing CA, using the SCEP certificate profile. This kind of certificate is utilized in scenarios involving certificate-based authentication, such as VPN and Wi-Fi access.

Return to Tenant administration > Cloud PKI.
Select a CA that has an Issuing type.
Go to Properties.
Next to the SCEP URI property, select Copy to clipboard.
In the admin center, create a SCEP certificate profile for each OS platform you're targeting.
In the profile, under Root Certificate, link the trusted certificate profile. The trusted certificate you select must be the root CA certificate that the issuing CA is anchored to in the CA hierarchy.

Assign and review the profile. When you're ready to finalize everything, select Create.

Create New Root CA Using Graph API

With Graph API, you may set up your Cloud PKI Root CA. Using the configurations I've previously specified, the Graph API request below will deploy a Root CA. I am using Postman to create the certificate. Make sure you adjust the necessary elements in accordance with your needs:

You will get a status code of 200 which means it has been created successfully.

Let's verify this in Intune Admin Center:

Now, let's create the issuing certificate also using Postman.

Status 200 - Successfully created.

Verify in Intune Admin Center:

Validate Certificate Deployment

After configuring the CA, verify its integration with Intune by issuing a test certificate. Let's verify locally on a device to see the certificates installed:

Conclusion

Deploying Cloud PKI in Microsoft Intune is a critical step towards securing your organization's digital communications and data while at the same time reducing your on-prem foot prints.. By carefully planning your deployment, configuring your CA, creating detailed certificate profiles, and closely monitoring the deployment process, you can ensure a successful integration. Remember, a well-implemented Cloud PKI infrastructure simplifies certificate management while bolstering security across your managed devices.