Hey everyone! I'm not super familiar with PKI solutions and I'm curious about what a good PKI architecture looks like. My thoughts started around setting up EAP-TLS and related certification requirements. One critical aspect for me is ensuring that certificates are tied to AD/Entra ID accounts, so when an account is disabled, the corresponding certificate gets disabled automatically.
For environments with on-prem AD and domain-joined computers, my thoughts include:
- Setting up a Windows Server for ADCS, OCSP Responder, and NDES.
- Configuring a cloud NAC/Radius server to request certificates using SCEP from the ADCS.
- Setting up OCSP to validate the certificates through the OCSP Responder.
- Having ADCS manage the lifecycle of the certificates effectively, ensuring that new devices are included and that disabling a computer also puts its certificate out of commission.
In a hybrid Intune/AD environment, I'm considering:
- Using SCEPMAN for managing the certificates.
- Leveraging Intune/MDM to push certificate profiles.
- Again, configuring a cloud NAC/Radius server for SCEP requests from SCEPMAN.
Is this setup valid? Would love to hear your thoughts! 🙂
5 Answers
About your setup, just a heads up: ADCS doesn't offer much in terms of automation by default. It’s not inherently set up to revoke certificates when a computer is disabled; you’d need to script that. We're planning to move to Microsoft Cloud PKI once it’s capable of handling SSL certificates since it automates a lot of the functions and integrates more easily with Intune.
That's correct! Transitioning your setup to a hybrid domain-joined + Intune environment is essential before fully utilizing Cloud PKI.
Your approach of linking certificates to AD/Entra IDs and utilizing OCSP for revocation seems solid! Just make sure your renewal and revocation policies are automated; those typically cause the most issues if they’re not.
Lol, it’s funny to see 'modern' paired with 'ADCS' in the same conversation!
I can't contribute much, but I want to acknowledge my own lack of cert knowledge. I handle Windows servers in a large VMware setup (~6,000 VMs), and our AD team manages the certs. I feel like I really need to get a better grasp on this subject – I mostly handle cert imports or check things like expiration dates.
This setup sounds similar to what we have in place. Our main issue, though, is having to create an AD object for each Intune workstation on-prem, which can be a hassle due to the strict linking of certificates. We're working on transitioning away from NPS because it's quite a headache.
I see your point, but if you're considering Cloud PKI and your current setup is just domain-joined with no Intune, wouldn't you need to upgrade to a hybrid model with Intune first?