Let’s learn about Create Root and Issuing CA using Intune Cloud PKI Service. The Cloud PKI management service in the Intune admin console is essential for handling certificate-related tasks in a cloud environment.
Creating, configuring, and managing CAs is vital for ensuring secure communication and authentication within the organization’s infrastructure. Within the Intune console, there is a part called Tenant Administration. This is where you handle a service called Cloud PKI, previously known as Managed PKI.
Once you click into Cloud PKI, you enter a space dealing with important stuff like issuing CAs (Certificate Authorities) and root CAs. Certificate Authorities are the protection of digital certificates that ensure secure communication.
In Bill Calero’s recent Microsoft takeoff session, crucial insights were shared regarding the upcoming Microsoft Cloud PKI Version 1 and its strategic plans. The primary objective is to introduce a comprehensive cloud-based solution tailored to Public Key Infrastructure (PKI) services.
- Intune SCEP Deep Dive – Intune PKI Made Easy With Joy – Part 3
- List of Intune Sessions in Microsoft Ignite 2023
- Top 75 Latest Intune Interview Questions and Answers
What Actions Can I Perform in the Cloud PKI Interface?

You can create new CAs, manage existing ones, and handle tasks related to issuing and managing digital certificates.
Create Root Issuing CA using Intune Cloud PKI Service
Sign in to the Intune Admin Center portal https://intune.microsoft.com/. Once logged in, navigate to the “Tenant administration” section on the left side of the Intune admin center. Under Tenant administration, select Managed PKI.
- Select the Create button from the below window.
When creating a certification authority, you will go through different tabs to set things up. Let’s focus on the “Basics” tab. In this section, you need to give your certification authority a name. For example, you could define “TTO Root CA.” Adding a description is optional so you can provide additional details about it.
Configuration settings are the 2nd tab in creating certification authority. A root CA must be made before issuing CA can be created. A root CA can contain multiple issuing CAs; only issuing CAs can display leaf certificates to devices and users.
Configuration Settings | Details |
---|---|
CA Type | Root CA |
Validity period | 10 years |
Common name (CN) | TTO Root CA |
Key size and algorithm | RSA-4096 and SHA – 512 |
Review + Create
In the Review + Create tab, you will get the overview of all tabs: Basics, settings, etc. You cannot edit a certification authority after it is created. After checking all the details, click the Create button from the below window.
Creating certification authority will take a few minutes. Refresh the list of certification authorities to see the new CA. Click the Refresh button from the screenshot below. You can see the result certification authority name as TTO Root CA.
Certification authority name | Status | Type | Common name | Root common name | Issuance | Expiration |
---|---|---|---|---|---|---|
TTO Root CA | Active | Root | TTO Root CA | Not applicable | 10/19/2023 | 10/19/2023 |
Now, let’s dive into creating the issuing CA. This step is crucial because the issuing CA plays a key role in signing certificates as requested by the SCEP (Simple Certificate Enrollment Protocol) profile. You must establish the Certificate Registration Authority and the SCEP service on the issuing CA. This SCEP service is closely connected to the issuing CA, ensuring a simple process for handling certificate requests.
- Tenant administration > Managed PKI > Create
In the window for creating a certification authority, you will notice various tabs that guide you through the process. Let’s focus on the “Name” section. Here, you can easily designate the name for your certification authority by entering “TTO Issuing CA.”
- Additionally, there’s an optional space for a description where you can provide extra details if you want.
In the below window, you should provide the CA type as Issuing CA, the Root CA is TTO Root CA, and the common name is TTO Root CA. Select the validity period is 5 years. The subject attributes provide details to help identify this certification authority. The key size and algorithm are inherited from the root CA.
- Select the Next button from the below window.
The Review + Create tab shows all the information related to the certification authority. You can not edit a certification authority after it’s created.
- After checking all the details, select the Create button
The window below helps you show that the TTO Issuing CA is created. The table below shows the other information related to the TTO Issuing CA. Click the TTO Issuing CA from the below window.
Certification authority name | Status | Type | Common Name | Root common name | Issuance | Expiration |
---|---|---|---|---|---|---|
TTO Root CA | Active | Root | TTO Root CA | Not applicable | 10/19/2023 | 10/19/2033 |
In the below window, you will find essential details, like the CRL distribution point, which essentially is your certificate revocation list. This list updates every 7 days, ensuring that revoked certificates are accurately reflected. Another key point is the SCEP URL, representing the Simple Certificate Enrollment Protocol service aligned with this issuing CA.
- This URL is crucial for managing certificate requests efficiently. Moreover, the “Download” button lets you obtain the public keys associated with this issuing CA.
This is the SCEP certificate many of you are already familiar with because this is what you use today with your NDES deployments to issue those certificates using your on-prem infrastructure. It’s a standard tool for managing certificate issuance.
Coming to the Microsoft Intune Suite – Microsoft Cloud PKI! (youtube.com) – NOTE! – Microsoft shared detailed information on Create Root Issuing CA using Intune Cloud PKI Service with Bill Calero’s latest Technical Takeoff session.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
About the Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.