AWS re:Inforce 2024 -Secure and increase mobile workforce productivity with AWS for MDM (DAP201-NEW)
Summary
TLDRこのビデオスクリプトでは、AWSのプライベートCA(Certificate Authority)サービスとその新しい機能、モバイルデバイス管理(MDM)ソリューションとの連携について紹介しています。デモンストレーションを通じて、AWSプライベートCAの設定方法や、新しいコネクタを使用してMDMと連携し、モバイルデバイスに証明書を発行するプロセスがわかりやすく説明されています。また、AWSプライベートCAの利点、セキュリティー対策、およびさまざまなエンタープライズ利用事例も紹介されています。
Takeaways
- 🌟 AWSプライベートCA(Certificate Authority)は、クラウドベースのマネージドサービスで、エンタープライズのセキュリティと生産性を向上させるために設計されています。
- 🛡️ AWSプライベートCAは、HSM(Hardware Security Module)でバックアップされた秘密キーを提供し、エンタープライズのセキュリティ基準を満たします。
- 🔧 MDM(Mobile Device Management)ソリューションとAWSプライベートCAを組み合わせることで、モバイルデバイスのセキュリティと管理を強化できます。
- 📲 SCEP(Simple Certificate Enrollment Protocol)コネクタを使用することで、MDMと連携してモバイルデバイスに証明書を登録することが可能です。
- 🔑 AWSは複数の証明書サービスを提供しており、ACM(Amazon Certificate Manager)を使用することで、AWSプライベートCAから発行されたプライベート証明書を簡単にプロビジョニング、管理、デプロイできます。
- 🤖 AWSプライベートCAは、自動化されたAPIとSDKを提供しており、開発者の迅速な証明書の発行と管理を可能にしています。
- 🏢 エンタープライズでは、AWSプライベートCAを利用して、AWS内外のリソース、ユーザー、デバイス、サービスメッシュ、コンテナ、IoTデバイスなどへの安全なアクセスを提供できます。
- 📈 AWSプライベートCAは、証明書の発行、失効、有効性の監査ログを提供し、コンプライアンスとセキュリティ監査のニーズに対応しています。
- 🌐 世界中のAWSリージョンで利用可能で、エンタープライズは地理的な分散を考慮した証明書の発行と管理を行うことができます。
- 💰 AWSプライベートCAは、従量課金制であるため、証明書の発行に応じてのみ費用が発生し、コスト管理が容易です。
- 🔄 AWSプライベートCAは、エンタープライズのニーズに応じて柔軟にスケールすることができ、高可用性を維持しながら証明書のニーズに対応しています。
Q & A
AWSプライベートCAとはどのようなサービスですか?
-AWSプライベートCAは、クラウドベースの秘密キーがHSM(ハードウェアセキュリティモジュール)でバックアップされるマネージドCAソリューションです。これにより、企業はAWSの管理されたサービスを利用して、プライベートキーの運用コストと複雑さを削減できます。
MDMソリューションとは何で、どのような利点がありますか?
-MDM(モバイルデバイス管理)ソリューションは、企業の管理者がモバイルデバイスにポリシーを適用し、管理するためのツールです。MDMを利用することで、従業員の生産性が向上し、企業はデバイスの発行にかかるコストを削減できます。
AWSプライベートCAのコネクタとは何ですか?
-AWSプライベートCAのコネクタは、AWSプライベートCAを他の環境で使用するためのブリッジ機能です。例えば、Active DirectoryやKubernetesなどの環境で証明書を自動的に発行するために使用されます。
セキュアエンドポイントとは何を意味していますか?
-セキュアエンドポイントとは、AWSプライベートCAが提供するエンドポイントで、これによりエンドポイントに対するリクエストが認証され、証明書が発行されることを意味しています。
AWSプライベートCAの証明書サービスにはどのような種類がありますか?
-AWSには、ACM(Amazon Certificate Manager)、AWSプライベートCA、およびAWS Certificate Manager Private CAという証明書サービスがあります。それぞれ異なる機能と用途を持っています。
証明書の有効期間や使用目的をカスタマイズすることはできますか?
-はい、AWSプライベートCAでは証明書の有効期間や使用目的をカスタマイズすることができ、またAPIやSDKを介して自動化することも可能です。
AWSプライベートCAで発行された証明書はどこで利用できますか?
-AWSプライベートCAで発行された証明書は、AWSの様々なサービスやオンプレミスのアプリケーション、IoTデバイス、サービスメッシュ、コンテナなど、多岐にわたる環境で利用できます。
AWSプライベートCAのセキュリティー対策には何がありますか?
-AWSプライベートCAはHSMでの秘密キーの生成と署名、IAMポリシーによるアクセス制御、監査ログの提供など、包括的なセキュリティー対策を提供しています。
証明書の失効や更新はどのように管理されますか?
-AWSプライベートCAでは、証明書の失効や更新は自動化されたプロセスによって管理され、またOCS PやCRLを使用して証明書の状態を確認することができます。
AWSプライベートCAの料金モデルはどのようなものですか?
-AWSプライベートCAは、証明書の発行に応じた料金モデルに基づいて課金されます。そのため、証明書を発行しない月では証明書に関する料金は発生しません。
Outlines
😀 ウェルカムとAWSプライベートCAの紹介
Daniel ChoiとDave GuptaがAWSプライベートCAとモバイルデバイス管理について話す。新しいAWSプライベートCAのパブリックプレビューが発表された。これはモバイルデバイスの登録に使用されるHSMバックアップのプライベートキーを備えたクラウドCAソリューションを提供する。このサービスはPKIの操作コストと複雑さを削減し、エンドポイントやチャレンジパスワードなどの管理を不要としている。また、AWSプライベートCAはエンタープライズ全体のプライベートCAソリューションとして機能する。
🔒 AWSプライベートCAの利点と管理の難しさ
AWSプライベートCAは自己管理された証明書と比べて、PKIの複雑さを解消し、セキュリティを向上させる。自己管理されたPKIシステムを持つ場合、証明書の管理と運用が非常に困難であることが示されている。AWSプライベートCAは、APIとSDKを通じて自動化を促進し、コストも削減している。
📱 モバイルデバイス管理とAWSプライベートCAコネクタの機能
AWSプライベートCAコネクタは、モバイルデバイス管理ソリューションと連携し、エンタープライズのモバイルデバイスをセキュリティーに保護する。コネクタはシンプルな証明書登録プロトコル(SCEP)を使用して、MDMソリューションと連携し、エンドポイントやクライアントに証明書を発行する。MDMは企業のモバイルデバイスに対するポリシーの適用と制御を可能にする。
🛠️ コネクタの種類とMicrosoft Intuneとの連携
コネクタには一般用途とMicrosoft Intune専用のタイプがある。一般用途のコネクタはSCEPに対応したエンドポイントやアプリケーションと連携し、IntuneタイプのコネクタはMicrosoft Intuneと連携する。Intuneで管理されるチャレンジパスワードを使用する。このセクションでは、コネクタの作成方法とIntuneへのアクセス権の設定について説明している。
🔄 プライベートCAの作成とアクティベーション
AWSプライベートCAの作成プロセスとアクティベーションについて説明している。CAを作成し、アクティベーションのためにCA証明書をインストールする。アクティベーション後にCAを使用して証明書を発行できるようになる。このセクションでは、CAの作成方法とその利便性について強調している。
🔗 コネクタの作成とSCEPの設定
コネクタの作成方法とSCEPの設定について説明している。コネクタを作成することで、エンドポイントが作成され、SCEPリクエストが可能になる。また、チャレンジパスワードの管理方法やローテーションの方法についても触れている。
🌐 Microsoft Intuneへのアクセス設定
Microsoft Intuneとコネクタの連携方法について説明している。Azure Portalでアプリの登録を行い、コネクタに必要なアクセス許可を設定する。このセクションでは、Intuneへのアクセス権の設定手順が詳細に説明されている。
📜 Intuneでの構成プロファイルの作成
Microsoft Intuneで構成プロファイルを作成し、デバイスに証明書を展開する方法について説明している。信頼されたルートCA証明書とSCEP証明書プロファイルを作成する手順が紹介されている。
🖥️ WindowsマシンのIntune登録と証明書の展開
WindowsマシンをMicrosoft Intuneに登録し、そこに証明書を展開するプロセスについて説明している。デバイスがIntuneに登録されると、自動的にCA証明書とSCEP証明書が展開される。
🔄 コネクタの種類とプライベートCAの機能
AWSプライベートCAの他のコネクタタイプとその機能について説明している。Active DirectoryやKubernetesと連携する方法が紹介されており、プライベートCAの一般的な使用例とその利便性が強調されている。
🛡️ AWSプライベートCAのセキュリティと管理
AWSプライベートCAのセキュリティ機能と管理の方法について説明している。HSMの使用、IAMポリシー、OCS Pの管理、監査ログの提供など、プライベートCAのセキュリティー対策が詳細に紹介されている。
🎯 AWSプライベートCAの概要と利便性
AWSプライベートCAの全体像と利便性について要約している。カスタマイズ性、セキュリティー、管理の容易さ、開発者のアジリティ、そしてエンタープライズでの幅広い使用例が強調されている。
Mindmap
Keywords
💡AWS Private CA
💡MDM(モバイルデバイス管理)
💡HSM(ハードウェアセキュリティモジュール)
💡証明書
💡証明書の発行
💡API
💡セキュリティ
💡スケーラビリティ
💡コスト効率
💡カスタマイズ
Highlights
AWS宣布推出AWS Private CA(Certificate Authority)的公共预览版,允许用户使用AWS管理的云CA解决方案,每个私钥都由HSM支持。
使用AWS Private CA可以减少PKI操作成本和复杂性,同时提供完整的管理服务。
AWS Private CA提供了一系列连接器,包括对SCE的支持,允许用户在企业范围内使用单一私有CA解决方案。
介绍了证书的两个主要用例:数据传输加密和端点身份验证。
AWS提供了多种证书服务,包括ACM(Amazon Certificate Manager)、AWS Private CA和AWS Certificate Manager的私有CA。
如果不使用AWS Private CA,自我管理CA可能面临复杂性、手动流程、缺乏自动化和成本问题。
AWS Private CA是一个高度可用的CA服务,可以设置PKI层次结构,无需持续成本和维护。
AWS Private CA与许多AWS解决方案和服务集成,简化了使用IAM证书等操作。
介绍了OS Private CA Connector for SCEP,允许使用AWS Private CA与支持SCEP的应用程序、客户端和端点一起使用。
MDM(Mobile Device Management)解决方案允许企业管理移动设备,提高生产率并降低成本。
创建Connector for SCEP的过程简单,可以快速设置与MDM解决方案的集成。
介绍了Connector for Microsoft Intune,专门设计用于与Microsoft Intune一起工作。
展示了如何创建和配置Connector for SCEP,以及如何在Microsoft Intune中设置访问权限。
演示了如何使用MDM解决方案和Connector for SCEP来注册设备并获得证书。
讨论了Connector for Active Directory和Connector for Kubernetes,它们允许AWS Private CA用于不同企业用例。
AWS Private CA支持从物联网设备到TLS、身份验证等不同场景的证书发行。
AWS Private CA提供集中管理CA的能力,简化了CA的查找和管理。
AWS Private CA提供按使用付费的定价模式,只有在发行证书时才产生费用。
AWS Private CA支持数据隐私和保护的合规性,适用于高度监管的行业。
总结了AWS Private CA的主要优势,包括安全性、可扩展性、自动化和易用性。
Transcripts
All right, good morning everyone.
Thank you for joining. Hope
you've had a good conference so far.
Uh We're here. Uh My name is Daniel
Choi. I'm a product manager
for Aws Private C A
and with me is, hi, I'm Dave
Gupta. I'm a senior software engineer on the private
C A team. And today we're gonna be talking
about securing and increasing the
productivity of your mobile workforce
by using Aws
with mobile device management or MD
M solutions.
So
let me get started here.
So yesterday, we happily announced
the launch of public preview of
Aws private C A or certificate
authority connector for
basically what this allows you to do is
use Aws private CAA managed
cloud C A solution where
every private key is HSM backed
and use it with your mobile
device management solution to enroll
mobile devices, whether it is phones,
tablets or laptops,
you know, by using Aws Private C A,
you get to reduce your PK I operational
cost and complexity is a managed
solution.
Um And not only that the ske
service that we launch is also managed
giving you everything you need.
You know, the end point, the challenge pass was
all of that without you having to do
anything to build out the
underlying infrastructure
and our maintenance of it.
And lastly, the connector for S CE
is part of a portfolio of connectors that
AWS private C A offers. This
means it allows you to have
a single private C A solution for your
enterprise, whether it is for
securing your Aws resources,
users and machines and active directory
workloads and
Kernes and now mobile devices.
So before we jump into that, just to give you a high
level of what we're talking about today,
just to ground everyone on this topic,
we're gonna talk about certificates, certificate,
authorities. Then we'll jump right into
connector first step. Why use mobile
device management solutions?
Um And how does the connector actually
work as well as providing a quick
demo?
Then we'll wrap up overview
of the other connectors within the private
C connector family and a quick
couple slides on AWS private
C A itself just so you get a better understanding
of what it is.
So just to ground, like I said, just to ground
folks, why do, why do you need certificates?
Really? Two main use cases, right.
Encrypting data and transit
and identifying authenticating end points.
When you talk about encrypting data and transit,
you know, we're very familiar with public certificates,
right? This is what websites like amazon.com
gets so that your browser can trust
that when you visit it, it's, it's a legitimate
trusted website,
right? If you've ever gone to a website where the certificate
expired, you'll see that big
error in your browser that says, hey, are you sure you want
to proceed?
Right. And uh similar to
public certificates that are used
to secure
communication with websites and web
applications, private certificates,
secure and identify things
within your enterprise, like
devices, users, machines,
uh containers, uh and so forth.
So, Debbie, can you tell us a little bit about
the certificate services at Aws?
Definitely. So Aws has
uh a number of certificate services that are offered that can
fit your organization's needs.
The first one is AC M
so AC M is Amazon certificate manager.
Amazon certificate manager will let you easily provision,
manage and deploy public and private
certificates. What that means is you can hook
up uh AC M with your Aws
private C A which we'll talk about next
and it'll let you issue private certificates as well.
And once you've issued a certificate through AC
M, you can actually use it to
uh deploy certificates out to
other A TS integrating partners such
as uh
API gateway and A lb. Amazon
load bouncer
next. You have IDI was private C A.
So it was private C A is what
this talk is going to be all about. It's a highly available
uh C A service. It lets you set
up A PPK I hierarchy without
the ongoing cost maintenance, specialized
staff that's usually required to have your
own PK I system.
And then finally, with a of a signer, this is, this
is code signing. So uh this allows
organizations to really check where does their
code packages come from and make sure it's from a trusted
uh verified source. A very common
use case for this we see in our customers is
uh with containers.
So again, the talk today is really gonna be focused on
Abu Private C A. So before
we talk about Abu Private C A though, I want to talk a little
bit about the challenges of not
using Abu Private C A if you're self managing
your certificate authorities.
So first of all PK I is complex.
Um a story I like to tell on this
one is there's customers
that we've talked to a customer anecdote we
have is they came to us and
said before we're using eight of us private C A, they
were not sure where all their
cas were.
They talked to their PT I team and
their PK I team also told them that
there's CAS that are kind of scattered throughout the organization.
And some of those uh cas were root cas that
were actually issuing
uh
and entity certificates. So if you manage your
own PT I, you might know that's, that's usually
against best practice. Root root C
A should be issuing subordinate uh C A certificates.
And so they decided, hey, we're gonna
stop this practice and they decided to self
manage and figure out how to do that.
They went on a 18 month campaign
across the organization to figure out where all their CAS
were kind of audit what they were issuing
and they thought they had solved the problem 18 months later,
six months after that. So we're 24 months in
now. They found out actually
the problem wasn't solved. They, uh the, the
root cas, there were still CAS that they didn't know about
and their root cas were, were still
issuing an entity certificates. This is all
just to illustrate that
even with the best intentions, your PT
I team inside your organization can have a hard time
managing and operating a PT
I of their own.
Next one, there's a lot of manual processes. Everything I just
described sounded very manual. There's also
things like ceremonies that go into managing
your own C A
uh A ceremony is where
you would have to reissue AC
A certificate or maybe rotate your C A certificate
and it's, it's a very difficult thing
to do. You end up having a lot of PKI
experts in your organization all
get in a room, do a bunch of auditing,
go through a bunch of manual steps, all this very
difficult to automate and it ends up slowing
down your organization.
Next one, it doesn't really facilitate automation.
So if you're managing your own,
uh if you're managing your own C A, you
don't have API S usually you don't have an SDK
that you can just call. It, ends up slowing down your
developers. And like I said, ceremonies are
a great example of something that just cannot be automated.
Finally, there's cost. So this is the big one that customers
talk about uh managing your own C A can be very,
very expensive.
Um A example that I like to give
on this one is that it is about
H SS M. So if you have your own C A
and HSM is a hardware security module
that you need to store your private key securely.
If you will go and buy your own HSM,
you're looking at 2025 $30,000
for a single HSM.
Now, if your organization wants redundancy,
double or triple that, now if you want high availability,
maybe double, triple that. So you're looking at possibly
tens of thousands of dollars in just
infrastructure costs. Now, you have your
staff, now you have your specialized team,
all this stuff adds up very quickly.
Uh We had a customer tell us that
they were self managing their own HSM. They
actually spent 25 $50,000
on HS MS.
Their organization tried to do a firmware
update when they did the firmware update.
They found out that they accidentally bricked their HSM
because again, it's very difficult to self manage these things.
They bricked their HSM. Next thing they know
they were out, uh a bunch of money and they had to
start all over, which goes to show you some of the challenges
that come with traditional cas.
But now we're gonna talk a little bit about private
C A and how it's a little bit different. Dan will walk us through that.
Yeah, thanks Debbie.
So how is privacy different
than what we just call traditional cas.
Well, first it's a managed
solution where we take the undifferentiated,
heavy lifting of managing PK
I operating PK I off of your hands,
right? So we're talking all that underlying
infrastructure, databases servers,
you know the HS MS, all that gone.
We do it for you, right? So,
and then in addition to that,
uh as Devi said, we help
you be secure. We every private
key is generated in HSM
signing happens in HSM and they're not
exportable. So no worries that
the private key leaks and you have ac a compromise
if you talked about
traditional Cas typically
don't have your API S. Well,
we are API for service
issuing certificates, revoking them,
that's all doable through automation.
And then we also have high scalability,
right? So if you run into a place
where your traditional C A starting to run out of
capacity uh issuance rate,
um you're gonna have to go in
and invest in that hardware and
infrastructure again here. You know,
we support everything
from IOT devices for like the matter
smart home standard where we issue
tens of millions of certificates
uh, to enterprise use cases, right. Active
directory, Kubernetes
and,
uh, Aws private C A issues on average
about more than 1.5 million certificates
a day, including internal certificates
as well. That means over half
a billion certificates a year,
including internal certificates.
And then lastly,
yes, you can set up ac A, yes, you can
set up your PP I, but I want to use it with these
different use cases, whether it's service
measures or whether it is with
uh active directory or whether it's with
my mobile device management solution.
Uh Well, Aws privacy is
integrated with a lot of solutions
and services within Aws
making it easier for you to do things like use.
I am with certificates for even
workloads that aren't even in Aws.
So let's jump into the main topic
of our talk today
which is a OS privacy at connect to
fork. So what does
it really do at the end of the day?
It allows you to use Aws private
C A with SCP compatible
applications, clients end points
typically that means mobile device management
solutions.
Um I'm gonna take one step back
and talk about the connectors overview, which
is what our connectors, right? Aw. Private
C A just told you is a manage solution
scales great high availability
but connectors allow you to use private C A in
environments that have a natural
uh native established certificate
distribution solution.
That's a mouthful. What does that mean?
Basically you can think about things like
active directory, right? It has auto enrollment.
It just works. You put a user group
and user machine into a group,
they get a certificate every news
by itself,
uh Kubernetes. If you're using that, there's a cert
manager a on, it's a free open source
ad on certificate. Life cycle management
does a fantastic job of making
sure your certificates get to the right places
and also stays valid.
And so really by using connectors, you
get, you can use Aws privacy
as a single C A solution for
a variety of your enterprise use cases.
Now back to what I was saying a moment ago,
what is connected for sep basically,
you can use it with SEP compatible endpoints, clients
applications.
Usually this means mobile device management solutions.
And uh
S ce P stands for simple certificate enrollment protocol
just in case you weren't aware of that.
And that is what a lot of MD M solutions
have adopted for enrolling certificates.
So I'm gonna talk a little bit about MD MS, right?
So we talked about uh improving
productivity, being able to use it. What
is an MD M? Why should you even consider
it? We'll give you a high level,
you know, rundown of it, but basically allows
you your enterprise administrators
to control and enforce
policies on mobile devices.
So whether it's corporate issued or
you bring your own device like I do for work
now, they can set uh rules
such as
hey, you have to have a pass code, it has to be eight
digits long. You can't have certain apps
on it, things like that.
It also provides some information
back to you to say, hey, are any devices
in a state that is less secure? Maybe it's
in a weird IP location, things like
that. So it provides that kind of information
as well. And then lastly for that example,
where I bring my own device to work, I
want a clear separation between
my work data and my personal data.
And I don't need Amazon
uh data mingling with the
social media apps that I'm using, right?
And bringing on a device is actually the most
common use case that we've
heard, right? And why would that be?
So first thing uh
we found out or learned is
we, you know, it's up to 34%
higher productivity when you allow your employees
to use mobile devices,
right? So that means hey, I get to be on
block because I have a question or I need an approval
that can happen on the go.
Um
In addition to that, you could save up to
$350 per
employee compared to issuing
a corporate uh owned device, right?
So going out and buying a mobile device and giving
it to your employee compared to that can save
a little bit of money.
So higher productivity, lower
cost,
that's one of the biggest reasons why we see bring
your own device as uh uh a major
use case.
So Debbie, do you wanna tell us a little
bit about the connector itself? Yeah,
definitely. So like Dan said, we're excited to be talking
about the connector for skep today.
Uh So when you're creating a connector for ke
you really have two choices, you can create two
types. The first one is gonna be a general purpose
connector. So let's talk about that. First,
a general purpose connector is designed
to work
with end points that support skip.
Now there's a couple of use cases here. Uh The
first one is mobile device management.
So mobile device management means that you
can use uh the general purpose connector
with uh
with MD M such as Jam Pro or
Airwatch.
Uh Another C compliant MD MS,
you can use it with network gear routers, printers,
whatever other gear that you have that is kept compliant.
And the last thing you need to know is that the challenge passwords
that you create are managed by AWS. What
does that mean? So a challenge password in
Aws. So a challenge password is a skep
concept and it's kind
of the security layer that exists within skep.
So a skep server
will create a challenge password. It
will distribute and then you distribute that out to your
clients and your trusted MDMS.
And once that distribution happens, your step clients and
MDMS will actually be able to make requests
to your step end point that
the connector forke
will create for you and it will know that OK.
This person knows the password so they're authorized to
issue a certificate. So that's, that's how you do
challenge password management.
And then the other type is the type for connector
uh the type for Microsoft intune. Now,
this type is designed to work with as you probably
guessed Microsoft intune.
And uh that connector type is
uh is gonna have challenge
passwords managed in Microsoft intune.
So what that means is you're not doing the management
within AWS. Now, in this connector type,
you're managing those challenge passwords within intune.
So every single request that's made
to issue a new certificate has its own unique
challenge password that intune will create, send
your client and the client will make a unique
request with a unique challenge password. So that
management is done for you in in Microsoft
intune. So next,
uh we'll talk a little bit about what the architecture
looks like there like. What does it look like to actually use
uh A MD M with
the connective for cap. Now, one thing I want to call out is
using the connective first cap does not require you to
use that use an MD M. That's just a very popular
use case that we see with customers.
So
here uh we have a MD
M solution. This could be intune,
it could be airwatch, it could be Jam Pro
and you have your AWS private C that you set
up within Aws
and you have the connector for cap that you've also
set up once you set
those things up.
Uh The next step is you have a mobile device
that your organization is managing. This could
be an I OS device, it could
be an Android device, a laptop ipad,
uh whatever your organization is using
and uh the mobile device uh configuration
that you create will actually get pushed to your
uh mobile device from the MD M. Now,
what is the configuration profile that I just mentioned? A configuration
profile is uh something
that you set up in your MD M.
It's going to contain an endpoint, it's going to contain
maybe a challenge password and what your certificate
looks like. So I can say I want a specific
extension in my certificate or I want a specific
subject in my in my certificate.
All those things are set up in my MD M and pushed
to my mobile device. Once my mobile device
has that, it will connect with the endpoint
for connector for scout
and it will request a certificate. Once
it requests a certificate, the connector for scap
will go to AWS private C.
It'll grab a certificate, get it issued and
send it back to your mobile device there. You have
it, it's pretty simple. Now, you have a mobile device that
is enrolled in your MD M and has a certificate issued
through a private C A.
Now,
all of this sounds pretty simple and it is,
and we're gonna show you uh in a, in a five step
demo here.
And so uh it's gonna be a series of
videos. We're just gonna talk through it real
quick. First, we have the step where we're
gonna create AC A.
After we create AC A, we'll show you how easy it
is to create a general purpose connector.
Um And after that, we'll talk about Microsoft Intune
a little bit. We'll show you how to make a connector for that.
And then we'll also talk about how to create configuration
profiles within Microsoft Intune.
And then finally, we'll talk about enrolling a device.
So let's get started with the demos.
We'll be creating a connector for skip. The
first step in creating a connector for step is
to create a private ca So let's go ahead and do that
here. You have the private T A console.
I will, I will go ahead and click the create your privacy
button here.
You have a wizard that pops up with
um some options that we're going to go through.
You have mode options. So
this is asking you to pick between general purpose and
short lived certificate for your two
C modes
for the purposes of a connective step we recommend
using general purpose. So I'm gonna go ahead and click that
now under C A type options,
we have a root and a subordinate option.
I'm gonna go ahead and uh stick with root for the purposes
of this demo
and someone click that.
And now uh under subject,
we have uh
many fields. A lot of these are optional.
But for the common name of your C
A, I'm gonna go ahead and say
uh let's call it recording
demo.
Great. So we now we have a common name for our C A
and now we have some options for key algorithm.
Uh The key algorithm of your C A
uh can be RS A 2048
2048 RS A 4096
ECP 256 and ECP
384.
So I'm going to go ahead and click
RS A 2048.
Uh This is the most widely adopted
uh algorithm. So we're going to use that for the second
demo. But if you have other compliance needs
or other uh key algorithm uh needs,
you can go ahead and click into the other ones as well.
They will all work with the connection for skip.
Great. So now we have certificate revocation options
here. Um You can select CRL
and if you suck to the CRL option,
you'll provide it with a S3 bucket name.
Uh And the console will actually create
that S3 bucket for you.
And uh CRLS will then be generated
and delivered to that S3 bucket.
And so clients can pull it down from there
and then uh if you need O CS P,
we can also, there's also an option for O CS B
for now. I'm going to go ahead and uncheck both of these
because I will go forward with that replication
for the demo.
Here. You have tags. You can go ahead and uh tag
your C A. Uh
So I guess we can do that. We'll say,
uh for
the key, we can say recording
and the value can be a demo
here. This is C A permissions. This
basically says that I'm giving AC
M access to new certificates that are requested
by this account.
I'm gonna go ahead and keep this checked.
And then here we have pricing.
This is just acknowledging that the privacy of service
has pricing associated with it.
So I'm going to click that and acknowledge that
I hit create C A
and awesome. Now I have AC A that is in the
pending certificate state and it was created successfully.
Now, this C A cannot be used to actually
issue certificates quite yet.
Uh That can only be done
when uh the C A is
in the active state.
So right now the C A is in the pending certificate state.
So what we're going to do is activate it by
clicking actions here,
going to install C A certificate.
And what this will do is it will actually issue
ac A certificate off of your C
A and then import it back into
your C A
to activate your C A. So then your C A certificate
uh will be part of your C A and you'll have
an active C A that you can then use to issue
more certificates.
So here your C A certificate uh has
a validity period
and so you can select that here, but we'll leave
it as a default.
And then there's a signature algorithm that you can pick from.
I'm going to go ahead and leave it as sha 256
RS A.
I'm going to hit confirm and install
and there you have it. Now you have ac
a certificate
that you can view right here
that was issued for you and imported back
into your C A
and you have uh the C A in the
active state. So you can actually issue
certificates off of the C A
that uh you can then go and use.
So awesome. What I'm going to
do next is I will go
ahead and export this C A certificate
certificate dot pen and I will save that
for later because we'll need that. And then some
of the next steps when we're setting up our
uh our, our connector for step.
So as you can see,
we only took a few minutes to
set up a, a whole new brand new C
A that is highly secure,
available and managed.
It's awesome.
So as you can see,
uh setting up AC A was very quick
and easy. It only took a few minutes. And
uh one thing I want to call out about the C A and not
only is it highly, not only is it highly
scalable and completely managed for you,
this C A is also has its private
key backed in HSM. What
that means is that we just created a private, we created
a private key when we created the C A
and that private keys is created
in HSM. And any signing operations that occur
will happen in the HSM. So if you remember that
customer anecdote from before where it's really
hard to manage expensive HSM S, all of that
is done for you here. And on
top of that, that private key cannot be exported
from the private C service. So that means your private
key is always secure. No one can get to it.
All right. So we just talked about creating AC
A. Next, we'll talk about what we're launching today,
which is the, the connect to first step
and how easy it is to create one.
So let's take a look at that demo.
In the previous step, we created AC
A. In this step, we're going to create
a connector for SC.
So we are now in the connector for skip console.
On the left, we have some uh links
to other connectors and to the private C
A console as well.
One thing to note is the connective step is currently
in preview
that means changes might be made to the service.
And we don't recommend using the uh the preview for
production workloads.
So here I'm going to click the create connector
button and
we have some options here. Uh I'm gonna go ahead
and tag or name my connector here.
Um I will call it
uh
recording
the M and
then here we have connector types.
Now there's two types of connectors that you can
create when you create a connector for
uh if you pick
the general purpose connector type,
this type is designed to work with endpoints and applications
that support ke
ke is widely adopted for mobile device enrollment
and networking equipment. So this will work for many
different types of MD MS.
If you're using Microsoft intune,
you'll use the Microsoft intune type
of the private CIA connector for cap.
So to start off with, let's use the general purpose
type. So I went ahead
and selected that
and here I can go pick my C A.
So I'm going to go ahead and find the ca that
we created earlier, call the recording demo
ca select that.
And then here it's gonna uh it's
gonna ask me, do I want
the console to create a challenge password for me.
So when I hit create connector here,
a couple of things are going to happen.
First, it will share my PC
A with the connector for skip service.
This allows the connector to issue certificates
from your private ca to skip endpoints
and applications.
When you create connectors outside of the console
such as through the C
or API,
you'll need to create the A
rams share prior to creating a connector.
But when you do it through the console, this is done for
you. So when I click the create connector button,
the console will take care of that step.
Uh Next, it's gonna create the connector.
Uh creating the connector involves creating an endpoint
that you can later use uh
to actually make ke requests and
your clients can use to make ski requests.
And uh another thing the console
will do for you is it will create a challenge password
for you as a managed service.
All this happens on your behalf to simplify setting
up Skype for your PC.
So a challenge password here is one of those
steps,
challenge passwords are used to authenticate a
request before issuing a certificate from
your C A,
a challenge. Password is a static password
and needs to be distributed out to your clients in
MD MS for them to be able to issue
certificates against your C A
great. So I'm gonna go ahead and hit create connector.
And all the steps that I just mentioned before are happening
this year is being shared with the skep for connect
the connector for ke service.
And uh the endpoint is being
created
and you'll see here. Now we have a active
general purpose type connector
with an end point
any challenge password.
So let's take a look at this challenge password here,
I can click it
and click view password.
One thing to note
is that you can actually use IM
policies to lock down who can view that challenge
password. So here I have IM permissions
and so I can view the password right here.
Let me go ahead and close this.
Uh Another thing you can do from the console
is you can create a new password,
just created a new one and I can
delete an old one
by selecting the delete button and
typing, delete and
delete.
So here I've just rotated my challenge
password and I can do that without a hard
cut over.
All I have to do is create a new password update.
All my step applications and clients
to use that new password and delete the old
one. That way you can avoid downtime during
challenge password rotation.
Great. So here we've created a
general purpose connector
for S CE P
mhm. So
as you can see, it's pretty easy to create a connector for scout
that took maybe that was about a three minute video. And
so in the three minutes before this, we created
AC A
and in the next three minutes, we set up a connector
for scout. So altogether 5
to 6 minutes to set up a highly secure,
highly managed scalable C A service
that you can use with connector for scout.
And at this point, if you're using the general purpose connector
type, you're pretty much ready to go.
You can use the general purpose connector type to
uh actually work
with uh your MD MS like Airwatch and Jam
Pro. So next,
we'll talk about uh the next connector type,
which is if you're using Microsoft intune, we'll
show you how to make that and we'll show you how to set that up.
In the previous step. We created a general
purpose connector.
The connector for step also has a Microsoft
intune type.
So let's go ahead and get started and create a Microsoft
intune type.
I'm going to hit a great connector
here. I'll call this
Microsoft
inter connector
for the connector type. I'll select Microsoft
intune.
Now with this type of connector, we'll have to
go to Microsoft intune
and actually do a few steps to allow
the connector first step to be able to access
Microsoft intune.
So that's good and good.
Uh In tune here. So I'm in the Azure
portal and
in Microsoft Azure, I just searched for app
registrations and ended up at this page.
Now under app registrations,
I'm going to go ahead and click new registration
here. I'll call this testing
and
I can leave the other values as default.
So what I've done here is I've actually created
an application within
Azure. So
now I'm looking at this application
and we'll see that the
connector for step console is asking for an application
ID and a directory, id.
So let's copy, paste those values, application
id, copy that
and directory ID. I'm going to go ahead
and copy that as well.
Great.
Now I can proceed as in
the same fashion I did with the general purpose connector
where here I will search for my
C A. I'll select
it. I noticed
that the console is mentioning that the C A has been
shared with the connection for Ske service already because
I used the same C A in the previous step
when I created the general purpose connector. But
that's OK. It'll just get Reshad.
So I selected my C A
and I'm going to hit create connector
and here it's going to go through very similar steps as the last
time where it's going to go ahead and create an endpoint.
And uh one big difference
though is here, we will not
be self managing
these challenge passwords
instead.
Uh And as a console says, when using this connector
type, you manage to challenge passwords
using Microsoft intune.
And so
uh what we've done here is we've created a
uh
Microsoft into connector type
and now we can go ahead
and move on to the next step,
which is setting up access in
Azure. As you can see again,
we created a uh another connector
type. This was if you're using Microsoft Intune, you'll
create this connector type.
And this is another really easy step showed
you how to set up uh that connector. The
next step here will show you how to actually grant access.
So your connector for G needs to be
able to talk to your Microsoft into tenant and
we'll show you how to do that in the next demo.
Next, we're going to make sure that
Microsoft Intune has access set up correctly.
So the connector for SCAP can actually access Microsoft
Intune. So let's go ahead
over to, to Azure.
OK. Here we will
see the app registration that I just
created
called testing.
I can head over to certificates and secrets,
Federated essentials
and click the add credential button.
Here. I'm going to select other issuer
and I can go ahead and copy the values that the
uh that the connector gave us. So
here we have a value for issuer,
subject and audience. I'm going to click
issuer
and paste that into the issuer
subject identifier.
Please study and
here I'm going to copy the audience and
add it right here,
the name this testing
and hit
at great.
So now my connector for cab has
access to Microsoft Intune.
Now I'm going to go ahead and configure the permissions
that the connector first step has on my interne
configuration. So here I'll go to API
permissions
and I'll be able to add those specific permissions
that the connector
will, will use.
So I'm going to click, add permission
and go and click into
and now I can go to application permissions
and search for a skip
and click, add permissions.
I'll add a second permission here by clicking, add a
permission again,
Microsoft graph this time
application permissions,
searching for application and application,
read, add
permissions
and then one last button here, I'm going to grant
admin consent.
Great.
So I pretty easily just
set up my
uh connector for step to have access to my intune.
Next, I need to create a configuration
profile
that can be used
by June to actually
push ske certificates and
uh
scap trusted user profiles to
my devices. So I'm going to head
over to Microsoft Intune
and here I went to devices
and configuration
here. I'm actually going to create two
configuration profiles.
The first one is going to be
for.
Well, so I have a Windows machine that's set up
that I'm going to use as my device that I'm
enrolling to intune.
So I'll go ahead and select that first.
And then here I'll the profile type will
be trusted certificate.
So what this means is that
a trusted certificate is a certificate that ends up
in a devices trust store. So for
us, we're going to use our root
CASC A certificate that we created
earlier
as the trusted certificate.
So I'll go ahead and click create,
I'll call this trusted
sir.
Hit next
and here I need to upload it.
So I actually
upload it by just taking
the certificate that I downloaded earlier. The C A
certificate from my C A
and changing the dot P
dot C open
that up hit next.
Say that all devices that are Windows
machines that enroll to
uh my intern will get this,
get the certificate in the trust store. So I collected
all devices
hit next
and I hit create
refresh
and we see it there.
Great. So the moment my next one is gonna
be same thing Windows
eight and above.
And this time it'll be a
skep certificate profile and
this is what's going to actually create is gonna
actually cause intune to push a configuration
profile to your device. And your device
will then go and
uh make a request against the connector
for S ce to actually issue a certificate.
We call this yeah
certificate.
We'll say it's a device type
a certificate
here. We can call it. Um This
is the subject we'll say
testing
and
we will look at the other options
there. We have options for subject,
alternative name. We'll leave this as default.
Uh You can configure the validity period
of your certificate. We'll leave that as one year
for the key storage provider. We'll go ahead and say
this option right here.
For key usage, we can
uh select both digital
signature and key insight from it.
Key size. We'll go with 2048.
Again, these are all demo values. Uh You can
configure this however you wish.
And the hash algorithm will go with shot
two root certificate
will say this is the
trusted certificate which represents our
C A certificate.
Is it OK
for extended key usage or EKU
I'll go ahead and say any purpose.
And here this is the renewal threshold.
What this means is that if your
cert uh your certificate will be renewed
when 20% of its lifetime
remains. So we'll leave that as a default. And
this right here, it's asking for the URL of
your SK ES server
in our case, that's the connector for Skeps URL.
So go ahead and grab your
unique URL right here
and paste it in
hit next.
Next.
Previous we got to add all devices.
So this is saying
um
any Windows machine again that enrolls will
get this sketch certificate issued,
hit next and create.
If we refresh, we should see here.
Great. So we see se certificate and
trusted certificate.
So here you saw how you set up access
for the connector. First step to be able to access
your Microsoft Intune.
Um Another set of just pretty easy steps that
goes, this is all in our documentation as well.
Um Next up, we'll show
you the, the actual exciting step which is
seeing a device enroll in Microsoft
Intune and seeing those certificates being pushed
to it. So let's let's watch that demo.
In the previous step, we created a connection
for ke and this step will actually
enroll a device.
So I have set up a Windows machine here
and I downloaded a company portal.
And after I downloaded company portal, I simply signed
in using my uh Microsoft
intune credentials that were unique to
my tenant. And so once
I had signed in using my credentials,
that was just my user name, password.
I uh
I am going through this wizard now which will
actually enroll this
uh windows machine to Microsoft intune.
So I'm going through this wizard
hit next
and it's saying I am now enrolled.
So I hit done.
I can see this device is enrolled.
And if I go to settings
and sync,
what I'm hoping to do here is actually pull
down the two configuration profiles
that we created.
It said the sync was successful.
What that means now is if I look in my
uh
trust store
on this machine, I should see my C A certificate.
So let's check for that.
So I'll search for computer certificates
here. Yes
and go to trusted root certification
and let's see,
recording demo. This right here
is my C A certificate
that I had uploaded to
uh Microsoft Intune
and has now been pulled onto this machine.
So that's pretty cool. I just created a Windows machine
enrolled into intune.
And now
my C A certificate that I had issued
with a private C A is now on
this machine
and every Windows machine that enrolls from now
on now will have that automatic behavior
as well. The next thing
I should see is I should when
I go to personal certificates
here, I should see that the ske certificate
that I had requested
was actually issued
and it looks like it was.
So if I open this up,
this right here is my certificate
that I had set up with a configuration
profile in Microsoft intune. So
what happened here is this Windows machine enrolled
to Microsoft intune
and then it automatically knew to
go and ask the connector for ke
for a new certificate. So it hit that
endpoint that the connector for step had
set up
and a certificate was issued
by your A private C A.
So this right here shows you how easy it is
to set up your ad address, private C
A with a connector for S CE
that can then be used to enroll your
machines and devices.
So there you have it, you created a private
C A, you created a connector for S CE
and then you were able to enroll a device in
Microsoft Intune.
Uh It's a pretty simple process. And
uh next, now that we've talked about this, we'll talk
a little bit more about the concept of connectors
and Dan's going to tell you a little bit about that.
Yeah, thanks Debbie.
That was a great set of demo videos.
I hope that helps you all understand
how quick and easy it is. At least for the PT I
steps to get to
uh you know, setting it up and
being ready to then configure your
MD M skip compatible applications
clients. But
as I mentioned before, connect to forke
is just one of three connectors that we have.
We're gonna wrap this session up just talking a little
bit about those connectors and a little bit
about uh private C A.
So one of the other connectors we have is connected
for active directory, very similar
to uh connector for
E is for identity certificates.
Um If you think about what do we use private
certificates within active directory. For
one of the main ones we hear is securing
your domain with LDPS or
secure LDA or LDA over
SSL, right? Without
it, all your domain communications is happening over
plaintext. Not great.
The other thing is to enroll your
users and machines, right? Providing them
an identity by installing a private certificate
onto them.
You know, most common use case here is
I want this laptop to enter the office and
get on to the Wi Fi so that I don't have
to have them constantly using
the Wi Fi password or having to rotate
it out and letting everyone know.
And less of a less common of a use case
is encrypting emails and files.
Um If you use certificates, you can sign
it to encrypt those uh objects,
but like I said, not as, not as common.
Uh And just to let you know uh the
connective for active directory works with two
types of active directory. If you will. One
is the Aws Managed Microsoft Active
Directory. This is an offering offered
by Aws directory services. This
is a managed active directory. They do the patching
upgrading. They recently went through a campaign
where they upgraded everyone to 2019.
Um
and then self managed, right? So whether
you're hosting it on premises or if you're hosting
it in the cloud, like on EC2, you
can use the connect for active directory for both use
cases.
Uh And so just a quick
diagram on how it works. On the right
side, you'll see this is your on premises,
set up. You have active directory, you have
uh ad domain joined objects,
right? And you're like, I have a private ca,
I want to use it with
my active directory to enroll my ad
objects.
Well, first thing you actually have to do is connect
it to the aws cloud.
Uh that happens by using the AWS directory
service product. And now your on
prem active directory is
in the cloud in a way where
um ad aware applications
such as private C A workspaces, other
things can actually communicate with your active directory.
This is when you would say OK, connect
me to it. That's when you use the connector for
active directory.
Now, private C A is
a trusted C A within active
directory. It can actually communicate
and do LDA queries and all
you have to really do at this point is configure
your group policy object and go
in and say, hey, domain computers going
forward, go point to the end point
that uh privacy connector provided.
And once you update that GPO, it
reaches out, we do a bunch of things
at this point. You know, the connector reaches uh communications
with their active directory to say, hey,
is this uh requests
are actually allowed to get certificates? Are they in
your directory, whether it's a user or a machine?
Um In addition to that, it's going to communicate
back and forth with that object, what certificates
do you have? What certificates do you need?
And after that communication is over,
it goes up to your Aws private C A grabs
the certificates and shoots it back to
uh the object and all this,
you know, happens through your VPC, nothing
goes over the public internet. So it stays
within um your network.
Uh Debbie, you want to talk a little bit about Kubernetes.
I definitely do. So
the connector for Kubernetes uh is another
connector like Dan talked about.
Uh So one thing I wanna just start off
by saying is the connector for KS
is a, it's, it's a big space for our customers. Uh
Two out of three containers that are running
in the cloud right now, run in Aws.
What that means is if you're running on, on Prem
or if you're running in Eks or you're, you're
using um cert manage already. This
is a tool that's very useful for you and we expect customers
to continue growing in that space.
So let's talk about what that looks like in terms of an
architecture diagram. So let's say you have your own
co cluster. Again, it could be EKS or it could be
your own self managed one,
you're maybe running a service mesh. Uh This could be
sto we see that a lot in customers
and you have your own micro services that are running
within sto
so you a lot of organizations already have this set
up where they're using Cert manager. So,
cert manager is commonly referred
to as the de facto tool for certificate management
within certis. Now, cert manager is an open
source plug in
uh a lot of teams, a lot of organizations
are already using it.
And uh so what we built with the connector
for Certis is just a plug in for that.
So whenever your microservices need
certificates, it'll reach out to cert manager.
And then uh the connector for Cooper Neti
is right there working with Cert manager and
uh cert manager will, will ask
the connector for Cooper Neti for a certificate and
the connector for Cooper Neti will take it from there. It'll
the connector will reach out to a private C
A. It'll issue a certificate for you,
send it back to your connector, send
it back to Cert manager and then your microservices
in to will have the certificates it needs.
This is a very, uh this is a very common
infrastructure set up that we see a lot of organizations
already a cert manager. This is just an add on now
that works with it. So there's no need to replace anything that
you already have.
Um Next up, there's a lot of options
you have for TLS termination and where to use
TLS in a
cluster.
So let's say this is your
C cluster. Um You may have
an application load balancer in purple
or you may have an ingress controller right on
the edge of the EKS cluster.
Or you may have pods that are running within that cluster
that uh you can do TLS termination
at. So some of the options there, you can terminate at that
load balancer
or you can terminate at the ingress controller
and that's what we see commonly done.
Uh And we have termination at the pod as well.
And then finally, you can use the connector
fork to uh or sorry, the connector for Kernes
to do secure communication between pods as
well. And
so we talked a little bit about connectors.
Now, Dan walked us through that. We talked about the connector
for ad, we talked about the connector for scap, we
talked about the connector for kubernetes. Next, let's talk
a little bit about A US private C A.
So A
S private C A, you may be asking when do I use
it? Like what are, what are the common use cases that
we see.
So let's let's walk through them a common
use case that we see is
uh using a S resources outside of
a DBU and within Aws. So we
talked a little bit about AC M earlier.
So customers will often issue a certificate
and use it with an A LB
or they'll use it with uh API gateway.
So private C A will work with all with AC
M and AC M kind of opens the door to a bunch
of other integrations.
Next, you have IOT devices. Now
this is something we see customers use all the time. There are
millions of certificates being used right now through
a private C A
that are used on IOT devices.
Now, this can be matter compliant. So if your organization
is matter compliant, it's important to call out
that a private C A is currently the
only cloud provider with a private C A solution that
is fully matter compliant.
And so we have a lot of customers using private
C A for those use cases. We also have them using
it for stuff like um Aws IOT core.
So if you're using any of those things, then uh
private C A fits your use case.
Next service meshes containers, we kind of went through this
in detail in the last slide, but
this is the connector for certes. This is if
you're using a service mesh, uh again,
two out of three containers in A W uh
two out of three containers running on the cloud run
in Aws. So we expect this space to keep growing
if you're using service meshes and containers, Aws. Private
C I can hook you up with that with certificates.
Next identity.
Uh What I really think of with identity is
um I am anywhere. So let's say
you're an organization that has
uh a workload that's running outside of Aws
and you have the hybrid infrastructure. So you have some
resource resources within Aws.
So you can use IM anywhere to
uh establish identity. So your workloads will establish
identity using certificates and private C
A and then you can use Im anywhere
to actually exchange that identity
for
Abu credentials. And that's how your
um hybrid infrastructure works where your
Abu uh your non abo workloads will be able
to reach into Aws and use those adi
bos resources.
So we talked a little bit about use cases
like when do you use private C A? But let's
talk a little bit also about the benefits of using
private C A.
So first of all, we talked about the slot,
it is a secure managed scalable service.
So, you know, we talked a little bit about some customer anecdotes
before where uh customers didn't know
maybe where their C is where or we're
having a hard time understanding
where to issue certificates from, whether it's the root C A or
the and energy C uh C A So
with uh private C A, we make a lot of these things
easy uh through the console through
uh high availability, we a lot of these things
are made easier for you.
We also support developer agility. This
is automation
so customers can create privacy through cloud
formation, through CD K. They can create
it through um they can automate things through
uh the console or API
S or SDKS. They have a lot of different options
to actually uh speed up the agility of
their uh of their work.
Next, you can create root cas and complete hierarchies
within private C A. So you can, you don't
have to manage anything outside of it. Your, your root C
can be in private C A subordinates, your whole hierarchy
can all be done within private C A
and then also you have the ability to actually customize
certificates.
So in a certificate, you may want to customize what kind of
extensions are around there, the subject, all the different things
in there, you can do that via
um A PF through.
So API pass through is a mechanism in private
C A where you can actually pass in parameters
through
the API and it will affect what your end
certificate looks like. You can also do it through CS
R pass through. So you can put extensions in your CS
R that get copied over to
your uh end entity certificate.
Uh You can also do uh customization through
preset templates that we give you. And
this is really nice because you can control access
to those templates through IM and you can just
have predefined templates that customers
can use to um to,
to define what their end certificate looks like.
Finally uh manage your C A centrally.
So no running around trying to find
where all the cas are in your organization. Like the customer
story we told earlier.
Uh You have one console in private C A, you
go to one console, you can see all of your
cas. Uh you can call one API
the list certificate, authorities api see all
of your cas. So there's no more losing your CAS.
You can see it all in one easy pain glass
and finally pay as you go pricing.
So when you create ac A, you will pay for
ongoing maintenance and costs. But
uh if you don't issue any certificates that month, there
will be no charge for certificates that month. So it's
very much pay as you go pricing.
So we talked a little bit about the benefits and the use cases for private
C A. Now, Dan, do you want to tell us a little bit more about
securing your private C A? Sure, I'll wrap up
with security because we are at a security
conference,
right? We've
kind of spoken a lot about this
HS MS. They're a big part of, you
know, private C A and the security that we offer
im policies for access control, right? So
you put all your cas into an account,
you can share it when you share it, you
can allow that other account to only issue
certificates. Don't touch my C A. Don't
create AC A, don't delete ac
A, right? Not only that, what's
kind of cool is you can also use
it as a two party uh requirement,
right? What I mean is, hey, I have
someone in my company who can create C A si
have someone who can actually issue certificates.
Those two people are not the same.
So if I want to issue a brand new C A
certificate or C A deploy it, I actually
need both of them
together for us to actually get
a new C A deployed. That way you're not creating
CAS without
really knowing,
manage col and O CS P revocation
is an important part of PK I
and we provide you with both managed services.
And then lastly, I want to know what's
happening in my C A. You get the audit
logs, you also get a free
generated audit report, every certificate
issued, whether it's revoked, expired
or still valid. You get that all in a single
report which makes it easy to do two things.
One, provide it to your compliance
auditor. Two, you have an incident, every
single cert is there for you to look through.
I'm not gonna read this slide off to you but
private C A you know, supports
compliance for data privacy and protection.
You can learn more by going to the website
at the bottom to see, you know,
which ones we comply with. But basically
we want to be able to support you and have
you use us in highly regulated industries
and uh fields, environments.
And lastly, here's our takeaways, right? So you got
this fully managed C A highly available
real secure,
you know, it's a cloud based API
for uh C A solution.
The portfolio of connectors allow you to use
it for a variety of enterprise use cases.
And think about agility, how quickly you can
set up AC A for use for your DEV
environments for your production, whatever
your use cases and the ability to customize
certificates. As DEVI mentioned, we can issue
certificates from IOT to TLS
to identity all the way down to mobile
driver's licenses,
right? And then lastly, we make
it easy. Amazon, you know, if you're using
containers, Amazon, Eks, Amazon
ECs even provides its own
service mesh. If you're using it between services,
you flip a switch, you're using private C
A, you have TLS,
you know, we continue to integrate to make it easier
for you wherever you are to use private certificates
and just thank you. Thank
you for joining us this morning.
Uh My name is Dan,
this is Dey and please complete
a survey and we'll be right over here on the side if you wanna
talk but I appreciate it.
تصفح المزيد من مقاطع الفيديو ذات الصلة
5.0 / 5 (0 votes)