How can we improve Windows Azure security and compliance?

PKI as a Azure Service

Certificate Services (ADCS/PKI/CA) should be offered as a service in Azure at least for infrastructure purpose such as machine certificates for MFM, Wi-Fi access and
for user web authentication e.g. to Azure itself. CA Private keys can be store in Azure Key Vault to be secured.
A hybrid client should be provided to support autoenrollment to Windows 7 and better clients to simulate a onprem Enterprise CA. The web interface should be in Azure and support other platforms than Windows.
I am willing to spend time and effort to be part of a user group, think tank, beta test group etc for such a service.

I am aware that SSL certificates can already be renew automatically, but there is a fleet of onpremise machines and tablets out there as well. Such a service can also be an addon in Intune.

I am aware of this posting https://feedback.azure.com/forums/216840-security-and-compliance/suggestions/397203-add-full-pki-implementation-with-certificate-manag and support this as well.

505 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Lutz Mueller-Hipper shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Mike commented  ·   ·  Flag as inappropriate

    given the nature of microsoft autopilot - this should be a key service

  • Phil Morrow commented  ·   ·  Flag as inappropriate

    The other feedback linked has been under review since 2014... what’s the deal MS, any progress? Would be great if it used azure key vault with or without an HSM.

  • Jaime Hablutzel commented  ·   ·  Flag as inappropriate

    Do you really think that it would be appropriate to store production CA keys in Azure Key Vault HSM?, what about possible security implications?, because it wouldn't provide the same level of security of managing your own HSM as in this case you would be sharing with Microsoft access to your keys, do you think that it would provide compliance for a PKI to be used to issue legally binding digital signature certificates?.

  • Gregg Dolby commented  ·   ·  Flag as inappropriate

    This would be a huge benefit to many buisinesses. Having to deploy, maintain, upgrade and migrate enterprise CA / PKI services is a real pain.

  • Lin Pei commented  ·   ·  Flag as inappropriate

    Any progress on this topic? I think there are many business requirements for PKI as a Service.

Feedback and Knowledge Base