PKI in the cloud with SCEPman Part 1

Hello everyone, this is another interesting post about a PKI environment in the cloud. This cool solution of Glueckkanja-gab runs completely in Azure and is great for moving to the cloud. PKI environments can be a lot of management and setting up NDES is time consuming. This solution will save you a lot of time. This is part one of the series.

Topics in this post
Prerequisites and overview
Deploy SCEPman Base Services
Set permissions for SCEPman
Create Root certificate
Configure a custom domain with SSL certificate (optional)
Configure logging with App Service Logs
Deploy Application Insights
Part two of the series on PKI in the cloud with SCEPman

Prerequisites and overview

  • Azure Subscription
  • Intune license
  • Azure Active Directory (AzureAD Join) or Active Directory (Hybrid Domain Join)
  • Windows 10/11 device that is enrolled with intune (AzureAD or Hybrid)
  • Global Admin account for Azure
Important
This solution will also work if you have no resources in Azure yet. Because the PKI environment is accessible from the internet. This solution is well protected, so no need to worry about security.

What are the benefits of having a PKI environment in the cloud.

  • No server management
  • Have a redundant setup in the Microsoft cloud
  • Scale options are easy to adjust
  • Community edtion is free to use for smaller businesses
Important
You have subscription costs for SCEPman Enterprise, but you must also pay for all the services that are setup in Azure. The Community Edition also use resources in Azure.

First we need to decide which version of SCEPman is needed for your deployment. They have two versions of the product.

  • Community Edition
    • Lab environments
    • Small businesses
    • Easy testing of SCEPman
  • Enterprise Edition
    • Productive environments
    • Scalability and performance
    • Enterprise feature set

Deploy SCEPman Base Services

  1. The first step to configure SCEPman is to go to the Azure portal and search in the Services for SCEPman. I will choose the subscription to get the key for the Enterprise Edition. If you want to setup the Community Edition, then you can choose the deployment directly and start without a product key.
  1. Now we can create the subscription in Azure for SCEPman. Please create a new resource group for this subscription.
  1. At the section of Review + subscribe you can click on Subscribe to get a license key from SCEPman.
  1. Now you will have to wait until SCEPman has reached out to you with a serial key. When this key is available, you can start the deployment of SCEPman. We will choose the Production Channel template of SCEPman Enterprise. This can be done by clicking on the following URL: Production Channel template. Now you see the following screen in the Azure portal. Be sure to change the UNIQUENAME text filler in every field. Now you can use your key to activate the product to Enterprise Edition. Then you can click on Review + create to enroll SCEPman. If you will get conflict errors, please check the length of the names. The shorter the name, the better it will enroll.
  1. When you check your resource group. The following services should have been created with the Production Channel template.

Set permissions for SCEPman

  1. Now we need to set the right permissions on several services in Azure for SCEPman. We need to go to the URL of your SCEPman instance. This can be done when accessing the the App Service in your resources. Do NOT choose the App Service with cm on the end. If you used the naming convention from the template.
  1. When accessing the URL you will see the finishing step to configure the right permissions. This script must be run in the Azure Powershell module in the Azure Portal. It is also possible to run this script locally, but then you need to install the Azure CLI module. Here is a screenshot of my screen in the webpage from SCEPman.
  1. Now you can run this script in the Azure portal with Powershell. Please click on the following icon in the portal to start the shell. Then the welcome screen of the Azure Cloud Shell is visible.
  1. Please click on Powershell to open the shell. If there is no storage account for this shell, please create it. So you can finish the configuration. Then you will see the following screen.
  1. Now you can type in the console. Then you can paste the copied lines in this shell to set the permissions. If all is done you will see the following screen.

Create Root certificate

  1. The service is now up and running. We can now create the Root certificate for SCEPman. We can do that by accessing the URL again and clicking on the text click here to start. Then you must accept the terms and click on Create First Node.
  1. After a few minutes you can refresh the webpage and see the greyed out text from the button Get CA Root Cert turned into the color blue. Now you can download your Root certificate. Be aware that the format you are downloading is not readable in a program like Notepad. You need to import the certificate in the computer store with and export in the format Base64.

Configure a custom domain with SSL certificate (optional)

  1. The next step for SCEPman is a custom domain. So your service is has a URL that you can remember. Skip this step and step 14 and 15 if you need high-availability and geo-redundancy in Azure. These steps are not required, but is recommended. You can go to the App Service and click on Custom domains. I will use my own provider, because that is were my domain is hosted. I will create the subdomain and validate the records like the following screenshot. Validation can take some time. Make sure to use the CNAME record type. I had a warning that no matching TXT record was found. This message can be ignored. After the validation is passed you can click on Add.
  1. This domain is now usable in the App Service. Now we need to create a SSL binding for secure traffic. Click on Add binding and let the App Service create the certificate by clicking on Validate and then on Add. Now the certificate is being generated by the App Service. When everything is finished you will see a green checkmark at the Status of your custom domain.
  1. The application settings need to be changed for this custom domain. Click on Configuration in de App Service. Then click on Application Settings and edit the setting AppConfig:BaseUrl. Enter your custom domain and click on OK. And then click on Save.

Configure logging with App Service Logs

  • To get the logging up and running we need to create the Log Collection for SCEPman. You will need a storage account in Azure to set this up. A blob container is enough to store your applications logs. Then you can go to the section Monitoring in the App Service and then you go to App Service logs. Configure the settings as the following screenshot. And click on Save.

Deploy Application Insights

  • It is important to have Application Insights, so you have a graphical representation of you data in the SCEPman instance. Dat like Failed requests, availability and Server response time for a specific timeslot. To configure this you can click on your App Service an go to Application Insights. Its under the section of Settings. First you need to Turn on Application Insights. Then you will have extra settings to configure. Configure the settings as the following screenshot. Then you can click on Apply.

Part two of the series on PKI in the cloud with SCEPman

Leave a reply

Your email address will not be published. Required fields are marked *