Create Root and Issuing CA using Intune Cloud PKI Service

Let’s learn about Create Root and Issuing CA using Intune Cloud PKI Service. The Cloud PKI management service in the Intune admin console is essential for handling certificate-related tasks in a cloud environment.

Creating, configuring, and managing CAs is vital for ensuring secure communication and authentication within the organization’s infrastructure. Within the Intune console, there is a part called Tenant Administration. This is where you handle a service called Cloud PKI, previously known as Managed PKI.

Once you click into Cloud PKI, you enter a space dealing with important stuff like issuing CAs (Certificate Authorities) and root CAs. Certificate Authorities are the protection of digital certificates that ensure secure communication.

In Bill Calero’s recent Microsoft takeoff session, crucial insights were shared regarding the upcoming Microsoft Cloud PKI Version 1 and its strategic plans. The primary objective is to introduce a comprehensive cloud-based solution tailored to Public Key Infrastructure (PKI) services.

Patch My PC

What Actions Can I Perform in the Cloud PKI Interface?

Create-Root-Issuing-CA-using-Intune-Cloud-PKI-Service

You can create new CAs, manage existing ones, and handle tasks related to issuing and managing digital certificates.

Create Root Issuing CA using Intune Cloud PKI Service

Sign in to the Intune Admin Center portal  https://intune.microsoft.com/. Once logged in, navigate to the “Tenant administration” section on the left side of the Intune admin center. Under Tenant administration, select Managed PKI.

  • Select the Create button from the below window.
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.1 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.1 – Creds to Bill Calero Microsoft

When creating a certification authority, you will go through different tabs to set things up. Let’s focus on the “Basics” tab. In this section, you need to give your certification authority a name. For example, you could define “TTO Root CA.” Adding a description is optional so you can provide additional details about it.

Create Root and Issuing CA using Intune Cloud PKI Service - Fig.2 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.2 – Creds to Bill Calero Microsoft

Configuration settings are the 2nd tab in creating certification authority. A root CA must be made before issuing CA can be created. A root CA can contain multiple issuing CAs; only issuing CAs can display leaf certificates to devices and users.

Configuration SettingsDetails
CA TypeRoot CA
Validity period10 years
Common name (CN)TTO Root CA
Key size and algorithmRSA-4096 and SHA – 512
Create Root and Issuing CA using Intune Cloud PKI Service – Table 1
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.3 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.3 – Creds to Bill Calero Microsoft

Review + Create

In the Review + Create tab, you will get the overview of all tabs: Basics, settings, etc. You cannot edit a certification authority after it is created. After checking all the details, click the Create button from the below window.

Create Root and Issuing CA using Intune Cloud PKI Service - Fig.4 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.4 – Creds to Bill Calero Microsoft

Creating certification authority will take a few minutes. Refresh the list of certification authorities to see the new CA. Click the Refresh button from the screenshot below. You can see the result certification authority name as TTO Root CA.

Certification authority nameStatusTypeCommon nameRoot common nameIssuanceExpiration
TTO Root CAActiveRootTTO Root CANot applicable10/19/202310/19/2023
Create Root and Issuing CA using Intune Cloud PKI Service – Table 1
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.5 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.5 – Creds to Bill Calero Microsoft

Now, let’s dive into creating the issuing CA. This step is crucial because the issuing CA plays a key role in signing certificates as requested by the SCEP (Simple Certificate Enrollment Protocol) profile. You must establish the Certificate Registration Authority and the SCEP service on the issuing CA. This SCEP service is closely connected to the issuing CA, ensuring a simple process for handling certificate requests.

  • Tenant administration > Managed PKI > Create
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.6 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.6 – Creds to Bill Calero Microsoft

In the window for creating a certification authority, you will notice various tabs that guide you through the process. Let’s focus on the “Name” section. Here, you can easily designate the name for your certification authority by entering “TTO Issuing CA.”

  • Additionally, there’s an optional space for a description where you can provide extra details if you want.
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.7 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.7 – Creds to Bill Calero Microsoft

In the below window, you should provide the CA type as Issuing CA, the Root CA is TTO Root CA, and the common name is TTO Root CA. Select the validity period is 5 years. The subject attributes provide details to help identify this certification authority. The key size and algorithm are inherited from the root CA.

  • Select the Next button from the below window.
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.8 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.8 – Creds to Bill Calero Microsoft

The Review + Create tab shows all the information related to the certification authority. You can not edit a certification authority after it’s created.

  • After checking all the details, select the Create button
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.9 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.9 – Creds to Bill Calero Microsoft

The window below helps you show that the TTO Issuing CA is created. The table below shows the other information related to the TTO Issuing CA. Click the TTO Issuing CA from the below window.

Certification authority nameStatusTypeCommon NameRoot common nameIssuanceExpiration
TTO Root CAActiveRootTTO Root CANot applicable10/19/202310/19/2033
Create Root and Issuing CA using Intune Cloud PKI Service – Table 3
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.10 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.10 – Creds to Bill Calero Microsoft

In the below window, you will find essential details, like the CRL distribution point, which essentially is your certificate revocation list. This list updates every 7 days, ensuring that revoked certificates are accurately reflected. Another key point is the SCEP URL, representing the Simple Certificate Enrollment Protocol service aligned with this issuing CA.

  • This URL is crucial for managing certificate requests efficiently. Moreover, the “Download” button lets you obtain the public keys associated with this issuing CA.
Create Root and Issuing CA using Intune Cloud PKI Service - Fig.11 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.11 – Creds to Bill Calero Microsoft

This is the SCEP certificate many of you are already familiar with because this is what you use today with your NDES deployments to issue those certificates using your on-prem infrastructure. It’s a standard tool for managing certificate issuance.

Create Root and Issuing CA using Intune Cloud PKI Service - Fig.12 - Creds to Bill Calero Microsoft
Create Root and Issuing CA using Intune Cloud PKI Service – Fig.12 – Creds to Bill Calero Microsoft

Coming to the Microsoft Intune Suite – Microsoft Cloud PKI! (youtube.com)NOTE! – Microsoft shared detailed information on Create Root Issuing CA using Intune Cloud PKI Service with Bill Calero’s latest Technical Takeoff session.

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.

Author

About the Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.