Part 2 – Configure Azure AD as a Certification Authority
To get to this step, you need to have setup a public facing CRL. We are going to reference that URL in this part so you need to do it. (See Part 1). This Post covers how to extend your CA into Azure AD. If you have multiple CA’s in your PKI, keep in mind you’ll need to do the this for each of them.
Grab your root CA Certificate. (Export to a .cer file) from any domain-joined machine that has it installed. Go to certlm.msc, Trusted Root Certification Authorities, Find your enterprise one, Open it up and click Copy to file. Save it to C:\CA\RootCA.cer
Run Powershell as an Administrator and download the latest Azure AD Powershell modules
Install-Module -Name AzureAD –RequiredVersion 18.104.22.168
- To Add your CA, you’ll need to run a series of powershell cmdlets (This step is also going to need your Global Admin credentials):
Connect-AzureAD$cert=Get-Content -Encoding byte “LOCATION OF CER FILE”
$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation
$new_ca.crlDistributionPoint = “CRL HTTP URL”
New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca
4. Done. Now Azure AD holds your RootCA and can do a CRL check. You can use Get-AzureADTrustedCertificateAutority or Remove-AzureADTrustedCertificateAutority to double-check or fix mistakes that you made.
Now that Azure is configured, Next step is to configure ADFS (Part 3)