# Microsoft Cloud PKI
{% hint style="info" %}
It is assumed that the Microsoft Cloud PKI hosts both the Root and Issuing CA. For scenarios involving BYOCAs please refer to Microsoft's online resources or the web.
{% endhint %}
{% stepper %}
{% step %}
### Deploy a Microsoft Cloud PKI
#### Create a Root CA in Intune admin center
Before you can issue certificates to managed devices, you need to create a root CA in your tenant to act as the trust anchor. To create a root CA in Intune admin center, please follow [this ](https://learn.microsoft.com/en-gb/mem/intune/protect/microsoft-cloud-pki-configure-ca)Microsoft guide.
{% hint style="info" %}
Please take note of the CRL distribution point as you will need this later in [Step 2](#step-1-create-root-ca-in-admin-center-2).
{% endhint %}
#### Create an Issuing CA in Intune admin center
An issuing CA is required to issue certificates for Intune-managed devices. Cloud PKI automatically provides a SCEP service that acts as a certificate registration authority. It requests certificates from the issuing CA on behalf of Intune-managed devices using a SCEP profile. To create an issuing CA, please follow [this ](https://learn.microsoft.com/en-gb/mem/intune/protect/microsoft-cloud-pki-configure-ca#step-2-create-issuing-ca-in-admin-center)Microsoft guide.
{% hint style="info" %}
Please take note of the CRL distribution point as you will need this later in [Step 2](#step-1-create-root-ca-in-admin-center-2).
{% endhint %}
Root and Issuing CAs
{% endstep %}
{% step %}
### Establish trust between RADIUSaaS and the Microsoft Cloud PKI
Configure RADIUSaaS to trust client authentication certificates issued by the Microsoft Cloud PKI. Since the cloud PKI requires a tiered CA structure, you must upload both, Root CA and Issuing CA (i.e. the complete chain of trust). To achieve this, please follow the steps below:
1. Navigate to [Trusted Certificates](https://docs.radiusaas.com/admin-portal/settings/trusted-roots).
2. [Upload](https://docs.radiusaas.com/admin-portal/settings/trusted-roots#add) the Contoso Cloud PKI **Root CA,** selecting **Client Authentication** in the upload process.
3. As a verification method, select **CRL** along with **DER** encoding.
4. Use the copied CRL distribution point URL of the Root CA in the **CRL Distribution Points** URL input field.\
5. Upload the Contoso Cloud PKI **Issuing CA,** selecting **Client Authentication** in the upload process.
6. Again, select **CRL** as verification method along with **DER** encoding.
7. Use the copied CRL distribution point URL of the Issuing CA in the **CRL Distribution Points** URL input field.\
{% endstep %}
{% step %}
### Configure the RADIUS Server Certificate
To establish server trust between your endpoint devices and RADIUSaaS, follow [these instructions](https://docs.radiusaas.com/configuration/generic-guide#step-3-radius-server-certificate-configuration).
{% endstep %}
{% step %}
### Configure your Networking Equipment
To configure your networking equipment (WiFi access points, switches, or VPN gateways), follow [these steps](https://docs.radiusaas.com/configuration/generic-guide#step-4-network-equipment-configuration).
After successful completion of Steps 2 - 4, the **Trusted Certificates** page of your RADIUSaaS instance will look similar to the one below. Please note that in our example we have used a RadSec-enabled [MikroTik](https://docs.radiusaas.com/configuration/access-point-setup/radsec-available/mikrotik) access point.
Trusted Certificates Overview required for the Microsoft Cloud PKI.
{% endstep %}
{% step %}
### Configure Intune Profiles
To set up certificate-based WiFi authentication, we need to create a number of profiles and deploy them via Intune. These profiles are:
| Profile Type | Purpose |
| ------------------- | ----------------------------------------------------------------------------- |
| Trusted certificate | Deploy the Root CA certificate. |
| Trusted certificate | Deploy the Issuing CA certificate. |
| Trusted certificate | Deploy the Root CA certificate that has issued the RADIUS Server Certificate. |
| SCEP certificate | Enroll the client authentication certificate. |
| Wi-Fi | Deploy the wireless network adapter settings. |
Relevant Intune Profiles
#### Trusted certificate profiles
**Microsoft Cloud PKI**
Deploy the root CA and issuing CA certificates created in [Step 1](#step-1.-deploy-a-microsoft-cloud-pki) via a **Trusted certificate** profile to your devices by navigating to the **Intune admin center** and then to **Home** > **Devices** > **Windows** > **Configuration profiles > Create** > **New Policy** with the following parameters:
* Platform = Windows 10 and later
* Profile type = Template
* Template name = Trusted certificate.
Upload the relevant certificate file (\*.cer) in the respective profile:
* Root CA certificate created [here](#step-1-create-root-ca-in-admin-center)
* Issuing CA certificate created [here](#step-1-create-root-ca-in-admin-center-1)
{% hint style="info" %}
Note that you have to use the same group for assigning the Trusted certificate and SCEP profiles. Otherwise, the Intune deployment might fail.
{% endhint %}
This must be repeated for every device platform that shall be using the service (e.g. Windows, macOS, ...)
**RADIUS Server Trust**
Next, push the root CA certificate that has issued your RADIUS Server Certificate as described here:
{% content-ref url="../../../profile-deployment/microsoft-intune/trusted-root" %}
[trusted-root](https://docs.radiusaas.com/profile-deployment/microsoft-intune/trusted-root)
{% endcontent-ref %}
#### SCEP Certificate Profile
To create a **SCEP certificate** profile in Intune admin center, first take a copy of the SCEP URI from **Home** > **Tenant admin** > **Cloud PKI** > **Contoso Issuing CA** > **Properties** > **SCEP URI.**
Next, go to **Home** > **Devices** > **Windows** > **Configuration profiles > Create** > **New Policy** with the following parameters:
* Platform = Windows 10 and later
* Profile type = Template
* Template name = SCEP certificate
Next, configure the template according to the screenshot below making sure you attached the **Contoso Root Certificate** created earlier in step 1 and the **SCEP URI** you took a copy of above.
SCEP Device Certificate Configuration
This must be repeated for every device platform that shall be using the service (e.g. Windows, macOS, ...)
#### Wi-Fi profile
Deploy the WiFi adapter settings to your devices by following this article:
{% content-ref url="../../../profile-deployment/microsoft-intune/wifi-profile" %}
[wifi-profile](https://docs.radiusaas.com/profile-deployment/microsoft-intune/wifi-profile)
{% endcontent-ref %}
{% endstep %}
{% step %}
### Permissions and Technical Contacts
{% hint style="warning" %}
This is a **mandatory** step.
{% endhint %}
First, review your [Permissions](https://docs.radiusaas.com/admin-portal/settings/permissions) to ensure the right persons in your organization have the right level of administrative access to your RADIUSaaS instance.
{% hint style="success" %}
To **prevent yourself from being locked** out of your RADIUSaaS instance, always ensure that either
* at least two user identities or
* one service account
are configured as [Administrators](https://docs.radiusaas.com/admin-portal/settings/permissions#administrators).
{% endhint %}
Next, ensure that we are able to contact you in case we have important technical information to share by reviewing the [Technical Contacts](https://docs.radiusaas.com/admin-portal/settings/permissions#technical-contacts) section.
{% hint style="success" %}
For us to **reliably deliver important information** to you via email, always ensure that either
* at least two email addresses of individuals or
* one shared mailbox / distribution list
are configured.
{% endhint %}
{% endstep %}
{% step %}
### Rules
{% hint style="info" %}
This is an **optional** step.
{% endhint %}
If you would like to configure additional rules, for example to assign VLAN IDs or limit authentication requests to certain trusted CAs or WiFi access points, please check out the RADIUSaaS Rule Engine.
{% content-ref url="../../../admin-portal/settings/rules" %}
[rules](https://docs.radiusaas.com/admin-portal/settings/rules)
{% endcontent-ref %}
{% endstep %}
{% endstepper %}
