Event banner
Event details
A few questions, that probably be on the mind of some: does it support an externally created, offline root CA? does it support custom EKUs? does it support custom templates? how does security works for enrollment, how do we limit who can request what certificates? what methods and protocols does it support for enrollment other than SCEP? can we issue certificates with custom properties similar to ADCS’ “supply in the request”, and how is that secured?
- EricTedj
Microsoft
Does it support an externally created, offline root CA?Does it support custom EKUs?- Yes. Custom EKUs can be added to CAs during creation.
Does it support custom templates?- Cloud PKI does not use custom templates. All customization is done through the SCEP profile. See: Use SCEP certificate profiles with Microsoft Intune | Microsoft Learn
How does security works for enrollment, how do we limit who can request what certificates?- We utilize the SCEP protocol for certificate enrollment. The endpoint is secured so only those devices that have received SCEP enrollment requests through Intune will be able to receive certificates. When an Intune SCEP certificate profile is delivered to a device, Intune generates a custom challenge blob that it encrypts and signs. That challenge needs to be present in the request, or it will be rejected by the SCEP enrollment endpoint.
What methods and protocols does it support for enrollment other than SCEP?
- Certificate delivery for Cloud PKI is currently limited to SCEP certificates. If you are interested in seeing other scenarios supported in the future, please submit feedback to https://aka.ms/IntuneFeedback.
Can we issue certificates with custom properties similar to ADCS’ “supply in the request”, and how is that secured?
- Customization is currently limited to what can be done from within the SCEP profile. If there are additional properties you would like to be able to add to issued certificates, please give us feedback at https://aka.ms/IntuneFeedback
