Azure PKI Certificate Management Best Practices

Managing certificates in Azure PKI can be a daunting task, especially for large-scale deployments.

To avoid certificate expiration, it's essential to monitor and renew certificates before they reach their expiration dates, typically 1-2 years after issuance.

Regularly review and update your certificate management process to ensure it aligns with your organization's needs and Azure PKI best practices.

Certificate storage and backup are also crucial, as they can be used to recover certificates in case of loss or corruption.

The certificate requirements for Azure Stack Hub are quite specific, and it's essential to follow them to ensure a smooth deployment.

You must issue certificates from either an internal certificate authority or a public certificate authority that's included in the Microsoft Trusted Root Authority Program. This is crucial for security and formatting purposes.

In disconnected deployments, certificates issued by a public certificate authority are not supported if the Certificate Revocation List (CRL) endpoint is not accessible.

For certificate rotation, the rules vary depending on the build version: pre-1903 builds require certificates from the same internal certificate authority or a public certificate authority, while builds 1903 and later allow certificates from any enterprise or public certificate authority.

Certificates must be in PFX format, with both public and private keys required for Azure Stack Hub installation. The private key must have the local machine key attribute set, and the PFX encryption must be 3DES.

Here are the key certificate requirements in a summary table:

The presence of Intermediary Certificate Authorities in a certificate's chain-of-trusts is supported, and certificates must be issued from a trusted certificate authority. Self-signed certificates are not supported.

Certificate export is a crucial step in Azure PKI. You can export certificates using the Microsoft Management Console (MMC).

To export a certificate, open the MMC, add the Certificates snap-in, and browse to the certificate location. From there, you can select the certificate and export it as a PFX file.

Make sure to create a password that meets the password complexity requirements, and note it down for future use. The password will be used as a deployment parameter.

To export the certificate, follow these steps:

To export a certificate, you'll need to use the Microsoft Management Console. Open the console by right-clicking on the Start Menu, selecting Run, then typing mmc and pressing enter.

First, select File > Add/Remove Snap-In, then select Certificates and select Add. Next, select Computer account, then select Next, and finally select Local computer and then Finish. This will allow you to access the certificates on your computer.

You'll need to browse to Certificates > Enterprise Trust > Certificate location, where you should see your certificate on the right. From the Certificate Manager Console taskbar, select Actions > All Tasks > Export. Select Next, and then select Yes, Export the Private Key, and then select Next.

In the Export File Format section, select Password and provide a password for the certificates. This password should meet the password complexity requirements of being at least 12 characters long, containing at least one uppercase letter, one lowercase letter, and one number. Make note of this password, as you'll need it later.

Choose a file name and location for the PFX file to export, and select Next. Finally, select Finish to complete the export process.

Creating a Blob Storage Account is a crucial step in storing CRL information in Azure Blob Storage. You must first create a storage account, and although an existing one can be leveraged, it's recommended to compartmentalize your storage accounts and other services related to PKI.

To create a new storage account, log in to portal.azure.com and navigate to Storage Accounts. Select Create, then enter a valid Subscription and Resource Group. You can also create a new Resource Group specifically for PKI if one doesn't exist.

A meaningful Storage account name is essential, so enter a new one; for this example, we'll use labgrassapki. Choose the region closest to where your clients will most commonly check for CRLs, as high latency can have a negative impact on CRL revocation check times.

Standard performance is sufficient for most situations, but carefully consider Redundancy options. For this example, we'll be configuring Standard performance with Geo-zone-redundant storage (GZRS), with the Make read access to data available in the event of a regional unavailability option.

Here are the steps to create a Blob Storage Account:

Once you've completed these steps, review the configuration and click Create. You may need to wait a few minutes until the deployment is complete, but once done, click Go to resource.

You must issue certificates from either an internal certificate authority or a public certificate authority. If a public certificate authority is used, it must be included in the base operating system image as part of the Microsoft Trusted Root Authority Program.

The certificate's PFX encryption should be 3DES. The certificate signature algorithm shouldn't be SHA1. The certificate format must be PFX, as both the public and private keys are required for Azure Stack Hub installation.

A complex password is required to protect the certificate PFX. The password must meet the following password complexity requirements: at least 12 characters, at least one uppercase letter, at least one lowercase letter, at least one digit, and at least one special character.

Here are the certificate requirements for Azure Stack Hub:

You can manually publish your root and issuing CA public certificates and CRLs using the Microsoft Management Console (MMC) Certification Authority snap-in.

First, log in to the root CA and open the MMC Certification Authority snap-in. Right-click Revoked Certificates and select All Tasks > Publish. Select New CRL and click OK.

The CA public certificate and CRL(s) will be updated at C:\Windows\System32\CertSrv\CertEnroll. Copy the .CRL and .CRT file(s) to another workstation that can log in to Azure.

To upload the certificates and CRLs to Azure, navigate to the Azure Blob Storage account you created and select Containers > aia. Click Upload and select the .crt file. Select Upload and confirm the upload was successful.

Then, navigate to Containers > cdp and click Upload. Select the .crl file(s) and confirm the upload was successful.

After waiting about a minute for the blob storage to propagate, you should see new results when running the certutil -url command against a newly issued certificate.

Here's a step-by-step guide to uploading your CA certificates and CRLs to Azure:

To protect your AD CS, it's essential to prepare Azure Stack Hub PKI certificates for deployment or rotation. External certificates used to secure endpoints on external infrastructure and services must be managed separately during the certificate rotation process.

The expiration dates of your external Azure Stack Hub certificates should be aligned with the expiration dates of your other external certificates, including those for Azure Container Registry (ACR). Protecting your PFX for ACR with the same password as your other external certificate PFXs is also recommended.

Certificate files obtained from the certificate authority (CA) must be imported and exported with properties matching Azure Stack Hub's certificate requirements. This ensures they meet the necessary standards for deployment or rotation.

Certificate-Based Authentication is a secure way to log in to your Azure PKI. It uses X.509 certificates to authenticate users directly through Microsoft's Entra ID, providing phishing-resistant authentication.

This method is more secure than federated certificate-based authentication, which required Active Directory Federation Services (ADFS) deployment. Direct authentication with Microsoft Entra ID eliminates reliance on a federated IdP and removes a lateral movement path from Active Directory.

Microsoft Entra ID can verify the type of Multifactor Authentication (MFA) used, whereas ADFS often depends on Kerberos, which can't ensure MFA usage or the specific type. This means you can have more control over your authentication security.

To configure Certificate-Based Authentication, you need to follow four major steps. These steps include configuring your trusted CA certificates, authentication bindings, user account bindings, and enabling CBA as an authentication method.

Here are the four major steps to configure CBA:

When configuring username binding policy, you need to create the username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes. You can select either the userPrincipalName or the OnPremisesUserPrincipalName field to map to and select Save.

To set up Azure PKI, you'll need a PKI environment, user certificates issued from the PKI, and an internet-accessible Certificate Revocation List (CRL). Having hybrid/Entra ID joined devices is optional but highly recommended.

To make the transition to Conditional Access (CBA) smoother, consider using a "Staged Rollout" approach rather than switching your authentication method all at once. This allows you to test out CBA features without disrupting your entire domain.

Here are the prerequisites for CBA:

To configure CBA, you'll need to follow four major steps. The first step is to configure your trusted CA certificates.

Configure your trusted CA certificates by following the specific steps outlined in the Microsoft Entra admin center. This will ensure that your organization's certificates are recognized and trusted by the system.

Next, you'll need to configure your authentication bindings. This involves setting up the authentication methods that will be used to verify user identities.

There are four major steps involved with configuring CBA:

After completing these steps, you'll need to enable CBA on the tenant. To do this, sign in to the Microsoft Entra admin center as an Authentication Policy Administrator and browse to Protection > Authentication methods > Certificate-Based Authentication.

By following these steps, you'll be able to configure CBA and enable it as an authentication method for your organization. This will provide a secure and phishing-resistant login experience for your users.

To set up Azure Stack Hub, you'll need a PKI environment. This is the foundation for secure authentication and authorization.

A PKI environment is a must-have, and it should include user certificates issued from this environment. This ensures that all devices and users have the necessary credentials to access Azure Stack Hub.

You'll also need an internet-accessible Certificate Revocation List (CRL). This is crucial for verifying the authenticity of certificates and preventing potential security risks.

Hybrid/Entra ID joined devices are optional but highly recommended. They provide an extra layer of security and make it easier to manage your Azure Stack Hub environment.

In a Hybrid configuration, you'll need an Active Directory on-premises infrastructure synced to Microsoft Entra ID. This ensures seamless integration between your on-premises and cloud-based environments.

Here's a brief summary of the prerequisites:

To configure certification authorities, you'll need to sign in to the Microsoft Entra admin center as a Global Administrator. This is the first step in the process, and it's essential to get it right.

You'll then need to browse to Protection > Show more > Security Center (or Identity Secure Score) > Certificate Authorities. From there, you can select Upload to add a new certificate authority.

It's crucial to continue adding certificates until all root and intermediate certificates are uploaded. This will ensure that your certification authorities are properly configured.

Here are the specific steps to follow:

Remember, you can select the correct cert in the certificate picker UI and select OK to complete the process.