Keytos Documentation on Keytos Docs

How-To: Issue SCEP Certificates to Windows Devices with Intune

Wed, 01 Apr 2026 08:00:00 -0500

Introduction - How to Issue SCEP Certificates to Windows Devices with Intune

This guide shows how to issue X509 certificates to Windows devices with Microsoft Intune and SCEP. You will create:

A Trusted Certificate profile to establish trust with your CA chain.
A SCEP Certificate profile to request and install certificates for users or devices.

By the end, your Windows devices will be able to enroll and receive certificates from your EZCA SCEP CA.

How-To: Add EZSSH Access to Endpoints With Cloud Init

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Have at least one policy with endpoints

Overview

EZSSH uses SSH Certificates to authenticate to endpoints. Since this is a OpenSSH supported protocol, no custom code has to run on your endpoints for authentication to work. By adding your EZSSH Certificate to your TrustedUserCAKeys your endpoint will start working with EZSSH.

In this page we will go through how to do this using cloud init. You might also be interested in:

How-To: Create a Subordinate ADCS CA in EZCA

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview - How To Create an External Issuing/Subordinate CA

As you start to modernize your PKI, you might want to move your Root CA to EZCA. However, your migration plan might still have some on-premises CAs for certain workloads. In this page we will go through how you can sign your external CA (for example ADCS (Active Directory Certificate Services) CA) with your EZCA Root.

How-To: Create Cloud RADIUS Network Policies for Certificate Authentication

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Create Cloud RADIUS Network Policies - Video Tutorial

Introduction to Managing Cloud RADIUS Network Policies in EZRADIUS

The Policies page in EZRADIUS allows you to create and manage your Cloud RADIUS network policies. Each policy defines the conditions under which a user or device can connect to your network, including authentication methods, accepted certificate authorities, and access policies.

How-To: Create EZRADIUS Cloud Radius as an Azure Resource

Mon, 30 Mar 2026 08:00:00 -0500

Free Trials

Due to Azure Marketplace limitations, we are unable to offer a free trial plan when creating EZRADIUS through the Azure Portal. To take advantage of our free trial, please create your EZRADIUS instance directly through our EZRADIUS Portal. After your trial period, you can migrate your policies to an Azure-based subscription.

Prerequisites

The Keytos Entra applications are registered in your tenant

How to Create Cloud RADIUS - Video Tutorial

How To Create EZRADIUS as an Azure Resource

Go to https://portal.azure.com/
Click on “Create a resource”.
Type “EZ RADIUS” in the search bar.
Press enter.
Select the EZRADIUS offering
Select the plan.
Click the “Subscribe” button
Enter your subscription and resource group information.
Enter the name of the subscription you want to use.
Click the “Review + Subscribe” button
Click the “Subscribe” button
Once the subscription is complete, click the “Configure account now” button.
This will redirect you to our portal (https://portal.ezradius.io/). Sign in with your same Microsoft account.
If you created an dedicated plan, select the deployment region and subdomain.
Click the “Create Instance” button. This will activate your Azure subscription and assign your account to an EZRADIUS instance.
Once your instance is ready, the instance URL will be displayed, it is recommended you bookmark this instance so you can enter it directly.
You can now access your EZRADIUS instance by clicking on the instance URL.
Once you have created your instance, you can now connect to your SIEM. Learn how to connect to your SIEM

How-To: Issue Entra CBA Smart Cards with Azure PKI

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites for Creating Entra CBA Smart Cards with EZCMS and EZCA

EZCA Subscription

Overview

Having certificate based authentication requires you to have a Certificate Authority that will issue certificates for your smart cards. We recommend using a PKI as a service CA such as our EZCA tool to have a compliant, HSM backed CA without all the management overhead.

Getting Started - Creating a Cloud PKI for Entra CBA

Go to https://portal.ezca.io/
Login with an account that is registered as a PKI Admin in EZCA.
Navigate to Certificate Authorities.
Click on the “Create CA”
Select Subordinate/Intermediate CA.
Click Next

Entering Cloud CA Information

Enter Common Name: This is the name of the CA how it will appear in the certificate.
(Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
(Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
(Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
(Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
Click Next.

Cryptographic Requirements

Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility.

Validity Period

Select your Validity Period Learn more about Validity Period best practices
Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
Select the lifecycle action you want EZCA to take when expiry of the CA is approaching (for now we recommend manually rotating the Certificate Authorities since Entra CBA does not support automatic CA rotation).
Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions.

CA Certificate Revocation List

Select if you want this CA should issue a CRL (Highly recommended)
Click Next.

CA Certificate Revocation List Advance Settings

Warning

Changes to this section are only recommended for PKI experts with specific requirements.

How-To: Manage Passkey and Smart Card Settings for Entra ID

Mon, 30 Mar 2026 08:00:00 -0500

The EZCMS setting page is your home to manage all things related to your subscription. From types of smart cards/FIDO2 Tokens you offer, to security settings such as pin complexity and card assignment requirements to RBAC for token administrators.

How to Set Instance Administrators

Instance administrators are the equivalent of global administrators of the application, this permission will allow the user to manage any setting of EZCMS as well as give themselves permission to execute any action in the portal.

How-To: Register ACME Agent in EZCA

Mon, 30 Mar 2026 08:00:00 -0500

For EZCA to validate the local domain ownership, we have to install a local agent in your network. This web service will receive all ACME request and validate the domain ownership on behalf of EZCA. In this step we will register the ACME Agent in EZCA to issue certificates for your CA.

Registering the Agent in EZCA

Navigate to the EZCA portal.
Navigate to Certificate Authorities.

How-To: Register the EZCMS Entra ID Application

Mon, 30 Mar 2026 08:00:00 -0500

Registering the Application

EZCMS uses two Entra ID Applications to authenticate you to our services. To register these applications in your tenant, login with a Global Administrator account at this link and consent on behalf of your organization.

Alternately, you can copy & paste the following URL into your browser:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=833a967e-8ae0-492b-b221-4e524cd6a142&prompt=admin_consent&response_type=code&redirect_uri=https%3A%2F%2Fwww.ezsmartcard.io%2FWelcome

Once this step is done, you are ready to Create EZCMS Resource in Azure

How-To: Register the EZRADIUS App in Your Azure Tenant

Mon, 30 Mar 2026 08:00:00 -0500

How to Register the Keytos Applications for EZRADIUS

EZRADIUS uses a set of Entra ID Applications to authenticate you to our services and manage your RADIUS infrastructure. To register these applications in your tenant, use your Global Administrator account and follow these steps:

Register the Keytos Applications in Your Entra Tenant

The Keytos and Keytos Client Entra ID applications are used by Keytos services including EZRADIUS to sign you in and manage your EZRADIUS, EZCA, and other Keytos services. This step must be done first before registering the EZRADIUS applications.

How-To: Register the Keytos EZMonitor Application

Mon, 30 Mar 2026 08:00:00 -0500

Registering the Application

EZMonitor uses two Entra ID Applications to authenticate you to our services. To register these applications in your tenant, login with a Global Administrator account at this link and consent on behalf of your organization.

Alternately, you can copy & paste the following URL into your browser:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=eddb4ead-89dd-4da8-9196-09c7ea82d724&prompt=admin_consent&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezmonitor.io%2FWelcome

Once this step is done, you are ready to start the sign up process. You can create your free trial through EZMonitor

How-To: Select an EZCA Plan in the EZCA Portal with a Free Trial

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

Video Version

To register for your EZCA free trial, begin by navigating to the portal corresponding with your desired EZCA instance:
- EZCA Global - Global instance hosted in a variety of global datacenters.
- EZCA EU - European instance hosted only in datacenters within the European Union.
- EZCA Australia - Australian instance hosted only in Australian datacenters.
Click on Log in

How-To: Select an EZMonitor Plan in the EZMonitor Portal

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

To register for your EZMonitor free trial, go to https://portal.ezmonitor.io/Signup
Click on “Log in”
Enter your Azure AD credentials.
You will be presented with this Screen:
Enter the Name of the Subscription (this is for your reference only).
Enter the AAD Users or Groups that are allowed to manage your billing settings.
During the Free trial you can enter the plan you will want to purchase after the trial is over, or you can click skip for now and come back once you have tried our product.
If you opted for selecting the plan, please also enter your credit card information and billing notification email below (you will not be charged until the trial is over).
Click Register!
After registering, you are ready to Connect EZMonitor to SIEM or to Start monitoring your domains

How-To: Select an EZSSH Plan in the EZSSH Portal

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

Video Version

To register for your EZSSH free trial, go to https://portal.ezssh.io/Signup
Click on “Log in”
Enter your Azure AD credentials.
You will be presented with this Screen:
Enter the Name of the Subscription (this is for your reference only)
Select if you want to have dual key approval for any policy changes (Admin operations)
By Default, GitHub Certificate are enabled, this help you secure your GitHub instance with SSH Certificates Read More if you will not use this feature, you can uncheck the box.
If you are using GitHub Certificates enter the length in hours that you want your developers certificates to last (This is how ofter the engineer has to get a new certificate). Note: In Keytos we have it set to 8 hours so our engineers only request access once a day
In Advance Setting you can set the location of where we keep your certificates. (By Default it is East US)
During the Free trial you can enter the plan you will want to purchase after the trial is over, or you can click skip for now and come back once you have tried our product.
If you opted for selecting the plan, please also enter your credit card information and billing notification email below.
Click Register!
Once you are registered, you are ready to connect to your Azure Subscriptions and GitHub Instances.

How-To: Setup IIS

Mon, 30 Mar 2026 08:00:00 -0500

Introduction

For EZCA to connect to your ADCS CAs it is required for a domain joined machine to run the EZCA certificate agent web service. This web service receives authenticated requests from EZCA and then requests the certificate on behalf of EZCA. The first step is setting up IIS in a Windows machine.

Setting up the Server

Install IIS Windows feature

In a domain joined PC open an Administrator PowerShell window and run the following command:

How-To: Distribute EAP-TLS WiFi Profiles to non managed Apple iOS devices with EZRADIUS

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles to non managed iOS devices with EZRADIUS

If your organization has enabled self-service wifi profiles you can create your own Wi-Fi profile for your Apple devices. There are three ways to obtain them: EZRADIUS sent you an email with the profile, you downloaded the profile from the EZRADIUS portal, or request an email with your profile from the EZRADIUS portal.

How to Install Wi-Fi Profile on MacOS - Video Tutorial

Option 1: Email Received from EZRADIUS

If you received an email from EZRADIUS with your profile, follow these steps to install the profile on your Apple device:

Learn About the Difference Between Private and Public CAs

Tue, 21 Oct 2025 01:22:09 -0500

What is The Difference Publicly Trusted CAs vs Private CAs

As mentioned in the CA Overview, PKI is based on trust. Clients must trust the Root Certificate Authority to build a chain of trust and accept a certificate. The key difference between a publicly trusted and private certificate authority is that all computers and browsers trust publicly trusted Certificate Authorities while private CAs will have to be explicitly added by the IT administrator. Both private and public certificates have their valid use cases. In the following sections we will help you choose which certificate type you should use by showing some sample use cases for each type of certificate.

Learn How to Get Started with Certificate Authorities

Tue, 21 Oct 2025 01:22:09 -0500

What Are Certificate Authorities

In cryptography a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.

Learn the Differences Between Root CA and Issuing CAs

Tue, 21 Oct 2025 01:22:09 -0500

What are the Differences Between a Root CA and Issuing CA

As mentioned in the two tier hierarchy explanation, the two tier hierarchy has two CA types: Root CA and Issuing/Subordinate CA.

Root CA

As the name implies, the Root CA is the root of trust for your PKI. To trust a certificate chain, the root certificate has to be added to the trusted root store of the operating system. How To Trust a New Root CA.

How-To: Download EZSSH

Sun, 05 Oct 2025 01:22:09 -0500

Tenant Prerequisites

The following prerequisites have to be done only once per tenant.

Windows

Command line tool

ezssh is also available as a standalone Windows installer. Download the installer and click through the installation process. Once ezssh is installed, open a new terminal and you should be ready to start using ezssh.

EZSSH UI

EZSSH UI is currently in beta and the installer can be downloaded from here

How-To: Register the Keytos Entra ID App in Your Tenant

Sun, 05 Oct 2025 01:22:09 -0500

Prerequisites

Before you begin, ensure that you are logged into Entra ID as a Global Administrator user or you have elevated to Global Administrator via Entra Privileged Identity Management (PIM).

Register Keytos Entra Applications

Alternately, you can copy & paste the following URL into your browser:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=eddb4ead-89dd-4da8-9196-09c7ea82d724&prompt=admin_consent&response_type=code&redirect_uri=https%3A%2F%2Fportal.ezssh.io%2FWelcome

Next Steps

Once the applications are registered, you are ready to start the sign up process. You can create your free trial through EZSSH or Azure Marketplace.

How-To: Self-Enroll YubiKeys and FIDO2 Keys for Entra CBA Using Verifiable Credentials

Sun, 05 Oct 2025 01:22:09 -0500

Introduction - How to Self-Enroll Smartcards and FIDO2 Keys for Entra CBA Using Government ID EZCMS

If you are creating your phishing resistant identity for the first time or you are locked out of your Entra ID (Microsoft 365) credential, depending on the settings of your organization you might be able to onboard your FIDO2 or Entra CBA token using a government ID. This requires you to have your hardware key or smartcard, if you do not have one request one.

Learn About EZSSH Policies

Sun, 05 Oct 2025 01:22:09 -0500

What Are EZSSH Policies?

EZSSH makes it easy to manage access to your SSH endpoints by using your corporate identity to seamlessly create SSH Certificates and connect you to the desired endpoint without any changes to the endpoint or input from the user. However, to create this great experience, EZSSH needs to know who in your organization has access to those endpoints. We do this by creating Access Policies. These policies allow you to say who has auto approved access, who needs someone else to approve the access, and who is authorized to approve requests.

How To Create Cloud Radius Free Trial with EZRADIUS

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

The Keytos Entra applications are registered in your tenant

How to Create Cloud RADIUS Free Trial

Go to https://portal.ezradius.io/Signup
Enter the Subscription Name (This is a friendly name for your subscription for your reference).
Select the location you want to deploy your RADIUS service.
Select your plan and optionally enter your credit card information. Click “Skip for now” to start your free trial without entering payment information. (If you do enter a credit card, you will not be charged for the first month)
Scroll to the top of the page and click on the “Register” button.
Once your instance is ready, the instance URL will be displayed, it is recommended you bookmark this instance so you can enter it directly.
Now you can create your fist policy

How-To: Add EZSSH Access to Endpoints With Bash Script

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Have at least one policy with endpoints

Overview

In this page we will go through how to do this with running a bash script on an existing endpoint. You might also be interested in:

How-To: Create ADCS CA Templates For EZCA Integration

Mon, 30 Mar 2026 08:00:00 -0500

Introduction

In this page we will walk you through how to set up your ADCS CA to have an enrollment agent certificate and use that enrollment certificate to issue certificates.

Creating Enrollment Certificate

Open The Certificate Authority management console.
Right click the Certificate Templates Folder.
Click Manage.
Right click the Enrollment Agent Template
Select the Duplicate option.
Switch to the General tab.
Change the Name to EZCA Enrollment Agent.
Change validity period to 2 months.
Navigate to the Security tab.
Click Add.
Click Object Types.
Add Service Accounts.
Click OK.
Enter the name of your gMSA. Note: if you have not created your gMSA go to the create gMSA section of these docs
Click OK.
Back in the security tab, make sure the gMSA has read and enroll rights to this template.
Navigate to the Subject Name tab.
Select the “Supply in the request” option.
Save the changes and exit the dialog by Clicking the OK button.
Back in the Certificate Authority management console, click on Certificate Templates.
Once in the Certificate Templates page, right click any whitespace and select New > Certificate Template to Issue.
Select the EZCA Enrollment Template that we just created.
Your CA can now issue this certificate to the EZCA gMSA. Repeat the last 3 steps on each CA that you want to enable this template.

Create EZCA Test Certificate Template

To ensure high uptime, EZCA will create test certificates in each of the registered CAs every few minutes. To enable this, we will create a short lived template for EZCA to Issue.

How-To: Create CA Templates For Entra CBA Smart Cards

Mon, 30 Mar 2026 08:00:00 -0500

Introduction

In this page we will walk you through how to set up your ADCS CA to have an enrollment agent certificate and use that enrollment certificate to issue certificates.

Creating Enrollment Certificate

EZCMS will use a certificate issued by your CA to sign the requests and authenticate that the request was issued by our EZCMS agent. In the following steps I will walk you through how to create the template for this certificate.

How-To: Create Cloud RADIUS Network Policies that Uses Entra ID Passwords

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Create Cloud RADIUS For Entra ID Password Authentication - Video Tutorial

Introduction to Managing Cloud RADIUS Network Policies in EZRADIUS

How-To: Create Your First Hybrid Policy

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview

EZSSH Hybrid policies are the best option to manage access to your cross-cloud and on-premise Linux endpoints. This policy allows you to manage access to your resources without the need of a highly privilege agent.

Video Version

Getting Started

Go to https://portal.ezssh.io/
Navigate to Hybrid Policies
Click on the “Create New Policy”
Enter Policy Name: This name is just to make it easier for users to know what this policy gives them access to.
Enter Notification Email: Usually a team DL that would get notifications for changes to the policy.

Adding Policy Owners

Overview

Policy owners are the people that can make changes to EZSSH policies.

How-To: Issue SCEP Certificates to macOS Devices with Intune

Mon, 30 Mar 2026 08:00:00 -0500

Introduction - How to Issue SCEP Certificates to macOS Devices with Intune

This guide shows how to issue X509 certificates to macOS devices with Microsoft Intune and SCEP. You will create:

A Trusted Certificate profile to establish trust with your CA chain.
A SCEP Certificate profile to request and install certificates for users or devices.

By the end, your macOS devices will be able to enroll and receive certificates from your EZCA SCEP CA.

How-To: Select an EZCA Plan in Azure Portal

Mon, 30 Mar 2026 08:00:00 -0500

Azure Billing + Free Trials

Creating an EZCA plan through the Azure Marketplace will bill you through your Azure subscription and count towards your Azure consumption commitments. If you prefer to be billed directly through Keytos, please follow the steps in the EZCA Portal instead.

A free trial is not available when signing up through the Azure Marketplace.

Prerequisites

Ensure the EZCA application is registered in your tenant

How To Create EZCA as an Azure Resource

Go to https://portal.azure.com/

How-To: Select an EZMonitor Plan in the Azure Portal

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

Creating the Azure Resource

Go to https://portal.azure.com/
Click on “Create a resource”.
Type “EZMonitor” in the search bar.
Press enter.
Select the EZMonitor offering
Select the plan.
Click the “Subscribe” button
Enter your subscription and resource group information.
Click the “Review + Subscribe” button
Click the “Subscribe” button
Once the subscription is complete, click the “Configure account now” button.
This will redirect you to our portal (https://portal.ezmonitor.io/). Sign in with your same Microsoft account.
Enter the AAD Users or Groups that represent your subscription administrators
Once you have added the subscription administrators, click the “Purchase Plan” button.
Once you have registered in EZMonitor, the status in your Azure resource will change to subscribed.
Now you are ready to monitor your domains.

How-To: Setup EZCA ACME Agent

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Introduction - Setup Internal ACME Agent To Issue Certificates To Your Local Network

How To Setup The Server

Install IIS Windows feature

In a Windows Server open an Administrator PowerShell window and run the following command:

How-To: Setup Remote FIDO2 and CBA Onboarding in Azure

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

How to Enable FIDO2 and Entra CBA Onboarding in Azure Video Version

Creating the Azure Resource

Go to https://portal.azure.com/
Click on “Create a resource”.
Type “EZCMS” in the search bar.
Press enter.
Select the EZCMS offering
Select the plan.
Click the “Subscribe” button
Enter your subscription and resource group information.
Click the “Review + Subscribe” button
Enter your email and phone number
Click the “Subscribe” button
Once the subscription is complete, click the “Configure account now” button.
This will redirect you to our portal (https://www.ezsmartcard.io/). Sign in with your same Microsoft account.
Enter the Sub-domain you want to use for your EZCMS Instance
Select the Azure Region where you want your resources to be created.
Once the subscription details are correct, click the “Create Instance” button. This will create your private EZSmartCard instance.
After 10-20 minutes, your private Azure resources will be created and you can set up your smart card settings

How-To: Troubleshoot Cloud RADIUS Entra ID Authentication

Mon, 30 Mar 2026 08:00:00 -0500

How To Troubleshoot Entra ID Wifi Authentication in EZRADIUS

If you have setup your Cloud RADIUS instance and are having trouble authenticating users with Entra ID, this guide will help you troubleshoot your Cloud RADIUS configuration for Entra ID Wifi Authentication in EZRADIUS.

How to Troubleshoot Entra ID RADIUS Username not found

The most common issue with Entra ID authentication is that the username is not found. This is usually caused due to your device defaulting to MSCHAPv2 authentication which is not supported by Entra ID, therefore EZRADIUS assumes that the username is for a local user. To solve this issue, you need to configure your client device to use EAP-TTLS PAP authentication. For testing, you can do it manually in the device, however this does not scale well. To solve this issue at scale, you can use your MDM to push the wifi profile (once the profile is installed then the user will login as usual with username and password) or the EZRADIUS Profile creator that allows you to create wifi profiles and send them to your users.

How-To: Trust a Root Certificate in Windows and macOS

Mon, 30 Mar 2026 08:00:00 -0500

Overview - How To Install a Root CA in Windows

As mentioned in the CA Overview for a CA to be trusted by an organization it has to be added to the trusted root store of all their devices. This guide will guide you on how to install it in Windows Certificate Root Store.

Getting the Root CA Certificate from EZCA

Go to https://portal.ezca.io/
Navigate to Certificate Authorities.
Click the “View Details” button for the CA you want to download the certificate from.
Click the “Download Certificate” button for the location that you want to download the certificate from.

Installing Certificate Through Intune

Usually MDM solutions is the preferred way IT Admins install internal Root CAs as a trusted authority in all of the corporate devices. To do this in Microsoft Intune, follow this guide

How-To: Use EZSSH Interactive Mode

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Tenant Prerequisites

The following prerequisites have to be done only once per tenant.

Starting Interactive Mode

The easiest way to explore your resources and connect to them is using EZSSH Interactive mode.

First run the following command in your favorite terminal:

ezssh i

This command will start ezssh in interactive mode.
This will show you 5 different options, let’s explore each one.

List My Policies

Press 0 to List the policies you own or have access to.
This will list the policy name, and whether it is a Hybrid or Azure Policy. You can learn the difference between the two
Select the policy you want to explore
This will give you two options List policy’s endpoints and Download policy’s endpoints to csv (for batchssh)

List Endpoints

List endpoints will give you a list of all the endpoints available in that policy (One endpoint might have multiple rows if it has different Linux user principals in the policy)
Enter the number of the endpoint you want to connect or the number for going back to the policy menu.
If you use Azure Networking JIT EZSSH can make the request to open it for you. Enter y for opening a JIT request. Press enter to skip.
EZSSH defaults to try to connect to port 22, if your endpoint uses another port, enter the port number. Press enter to skip.
EZSSH works on the Just In Time methodology of just giving users access for the time they need, enter the number of hours you need access to the machine. It defaults to the maximum allowed time for that machine. Press enter for the default value.
SSH session will start in another window.

Download policy’s endpoints to csv (for batchssh)

Download policy endpoints gives you the option of saving the policy endpoints into a CSV that can then be used to connect to multiple endpoints at once

How-To: Troubleshoot EZSSH Issues with GitHub

Tue, 03 Mar 2026 01:22:09 -0500

Common Issues with the ezssh CLI for GitHub

Authentication Errors Troubleshooting

Make sure to run ezzshh git before running your Git Commands
Make sure your git repository is on the Git organization that trusts EZSSH
Make sure you have the right access to the repository.

Permission Denied (publickey) Error on Windows

If when you run:

 ssh YOURGITORGADDRESS

you are able to authenticate. But when you run any git operation you get the following error:

How-To: Create a Local Proxy for Cloud RADIUS

Thu, 15 Jan 2026 08:00:00 -0800

Prerequisites to Create a Local Proxy for Cloud RADIUS

EZRADIUS Subscription (This is included in all EZRADIUS tiers).
Setup your Access Policies.
EZCA SCEP or SSL CA to issue client certificates to the proxy.
Local Server (Linux) to host the proxy
Permissions to create an Entra ID Application

System Requirements for Local RADIUS Proxy

Operating System: Ubuntu 24.04 or later
CPU: 2 cores minimum
RAM: 4 GB minimum

Note

While Keytos support can advise on software features and basic troubleshooting, please note that hosting and managing the underlying hardware for a Local RADIUS Proxy is self-service and not included in our basic support. If you would like to meet with a Keytos engineer to discuss a hosting plan and review your system architecture, we offer professional services to help you get set up.

How-To: Enable WiFi Certificate Authentication in Intune

Tue, 25 Nov 2025 01:22:09 -0500

Prerequisites

The Keytos Entra ID applications are registered in your tenant
You have signed up for an EZRADIUS Plan
You are a Subscription Owner or Network Administrator
You are an Intune Administrator
You have created Intune Trusted Certificates and SCEP profiles to issue certificates to your devices.

SCEP Configuration

This guide assumes that you have already set up your Trusted Certificates and SCEP Profiles for your PKI in your Intune portal. If you have not done so, please follow the guide on how to create Intune Trusted Certificates and SCEP profiles, or watch this 5 minute video where you proceed.

How-To: Enable WiFi Entra ID Authentication in Intune

Tue, 25 Nov 2025 01:22:09 -0500

Prerequisites

The Keytos Entra ID applications are registered in your tenant
You have signed up for an EZRADIUS Plan
You are a Subscription Owner or Network Administrator
You are an Intune Administrator

How to Enable WiFi Entra ID Authentication in Intune

The following steps will guide you through the process of creating a WiFi profile in Intune that uses Entra ID Password Authentication with EZRADIUS. At a high level, you will need to:

How-To: Distribute WiFi Profiles Windows to non managed devices with EZRADIUS

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles to non managed Windows devices with EZRADIUS

If your organization has enabled self-service wifi profiles you can create your own Wi-Fi profile for your Windows devices. There are three ways to obtain them: EZRADIUS sent you an email with the profile, you downloaded the profile from the EZRADIUS portal, or request an email with your profile from the EZRADIUS portal.

Option 1: Email Received from EZRADIUS

If you received an email from EZRADIUS with 3 different files: Root CA certificate (root.cer), the Windows Wi-Fi Profile (wifi-profile.xml), and your Wi-Fi Certificate (certificate.pfx), each file will be used to install the profile on your Windows device.

Learn How to Renew a Certificate Authority Without Outage

Tue, 21 Oct 2025 01:22:09 -0500

Overview - How to Renew a Certificate Authority Without Outage

Renewing a Certificate Authority (CA) is a critical task that must be performed without causing disruptions to the services that rely on the certificates issued by the CA. This guide outlines the steps necessary to rotate a private CA seamlessly, ensuring that all dependent systems continue to function without interruption.

Differences Between Renewing a Root CA and a Subordinate CA

When renewing a Root CA, the process is more complex and requires careful planning. The Root CA is the trust anchor for all certificates issued by it and its subordinate CAs. Renewing a Root CA basically means that you have to issue the new Root CA certificate, distribute it to all clients, and ensure that all services trust the new Root CA. Then you can start issuing certificates from the new Root CA.

How-To: Manage YubiKey and Smart Card Inventory for Entra ID

Sun, 05 Oct 2025 01:22:09 -0500

Overview - How To Manage Key Inventory and Prevent Supply Chain Attacks for Hardware Tokens

EZCMS best practices recommend that all hardware tokens (YubiKey, FIDO2 Keys, and Smartcards) issued are pre-registered by your organization. This pre-registration allows you to keep track of your inventory as well as preventing supply chain attacks where you send the keys to the user and someone changes the key for a compromised Key.

How-To: Issue SCEP Certificates to Android Devices with Intune

Wed, 01 Apr 2026 08:00:00 -0500

Introduction - How to Issue SCEP Certificates to Android Devices with Intune

This guide shows how to issue X509 certificates to Android devices with Microsoft Intune and SCEP. You will create:

A Trusted Certificate profile to establish trust with your CA chain.
A SCEP Certificate profile to request and install certificates for users or devices.

By the end, your Android devices will be able to enroll and receive certificates from your EZCA SCEP CA.

How-To: Add EZSSH Access to Endpoints With Pulumi

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview

In this page we will go through how to do this by deploying to Azure using Pulumi. You might also be interested in:

How-To: Create Cloud RADIUS Network Policies for Local User Authentication

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

You have created local RADIUS users.

Introduction to Managing Cloud RADIUS Network Policies in EZRADIUS

How-To: Create Your First Azure Policy

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview

Azure Policies are the best option for easily and seamlessly connecting to Azure SSH endpoints using AAD Identities. The policy will have a scope (Subscription or Resource Group) and will manage access to the resources inside the scope.

Video Version

Getting Started

Go to https://portal.ezssh.io/
Navigate to Azure Policies
Click on the “Create New Policy”
Enter Policy Name: This name is just to make it easier for users to know what this policy gives them access to.
Enter Notification Email: Usually a team DL that would get notifications for changes to the policy.
Select the Scope Type
Select the Policy Scope from the dropdown.
Note

If you do not see your scope here. Test EZSSH Azure Access

How-To: Setup Access To Azure Resources

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Introduction

Creating an Azure Policy requires EZSSH to have access to your subscription. Based on what features you want to enable you can give it different permissions. If you want to use our “Auto Add” Feature that automatically adds your EZSSH Policy certificate to the machines we detect in your subscription, Contributor role is required. If you only want EZSSH to detect the machine and you will add the certificate to the machines, using your deployment templates (Pulumi Example) then only Reader role is required.

How-To: Setup ACME Clients for Internal PKI

Mon, 30 Mar 2026 08:00:00 -0500

Introduction - How To Automate Certificate Management with ACME for Internal PKI

ACME (Automatic Certificate Management Environment) is a communication protocol for automating certificate lifecycle between certificate authorities and servers. This automation dramatically reduces the cost of certificate lifecycle and prevents costly outages.

Since ACME depends on the validation of domain ownership, an agent has to be deployed in your local network. In this section we will guide you on how to point the most common ACME agents to your EZCA Agent.

How-To: Setup EZCA ADCS Agent To Automate Microsoft CA Certificate Management

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Introduction - How To Manage ADCS Certificates in a web portal With EZCA

For EZCA to connect to your ADCS CAs it is required for a domain joined machine to run the EZCA certificate agent web service. This web service receives authenticated requests from EZCA and then requests the certificate on behalf of EZCA. In this page we will set up the Agent, from registering the gMSA to getting the Agent operational.

How-To: SSH to an Endpoint

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Tenant Prerequisites

The following prerequisites have to be done only once per tenant.

Starting the SSH Session

To Start an SSH Session to an endpoint you have access to simply run:

ezssh ssh -e USERNAME@ENDPOINT

EZSSH will start the SSH Session in a new window.

How-To: Troubleshoot EZSSH Issues with Azure Resources

Mon, 30 Mar 2026 08:00:00 -0500

Troubleshooting EZSSH Not Finding Your Azure Resources

If EZSSH cannot find your Azure resources you will need to verify that the EZSSH Application has access to your Azure resources.

The easiest way to check, is by going to https://portal.ezssh.io/ and navigating to the settings page.

Once in the setting page click the “Test Domain Setup” button.

How-To: Distribute WiFi Profiles to non managed Android devices with EZRADIUS

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles to non managed Android devices with EZRADIUS

If your organization has enabled self-service wifi profiles you can create your own Wi-Fi profile for your Android devices. There are 2 ways to obtain them: EZRADIUS sent you an email with the profile or request an email with your profile from the EZRADIUS portal.

How To Request an Email with your Wifi Profile from the EZRADIUS Portal

If you need access to your Wifi and your administrator has enabled self service profile distribution in EZRADIUS, you can request an email with your certificate from the EZRADIUS portal.

How-To: Install Wifi Certificate on MacOS

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles to non managed iOS devices with EZRADIUS

Option 1: Email Received from EZRADIUS

If you received an email from EZRADIUS with your profile, follow these steps to install the profile on your Apple device:

How-To: Assign Smartcards and FIDO2 Keys for Entra CBA

Sun, 05 Oct 2025 01:22:09 -0500

Overview

With current distributed workforce, additional security measures have to been added to smart card distribution. To mitigate the supply chain risks added by shipping smart cards to remote workers, EZCMS allows you to assign each smart card to a user, ensuring that only that user can add certificates to that smart card.

How To Assign a Smart Card and FIDO2 Keys for Entra CBA

Open your EZCMS client application.
Login with your Entra ID user account that is a smartcard administrator in EZCMS.
Select the “Admin Manage Security Tokens” Page on the left menu.
Select the “Assign Security Token” tab.
If you are using an modern token that supports Key attestation such as a YubiKey or a FEITIAN Key, connect the token you want to assign to the user.
Select a user from the queue.
Select the token you want to assign to the user.
If shipping enter the tracking number of the package.
Click “Next” on the bottom right to assign the token to the user.

How-To: Issue SmartCard Certificates With ECMS Agent

Sun, 05 Oct 2025 01:22:09 -0500

Prerequisites

Introduction

For EZCMS to connect to your ADCS CAs it is required for a domain joined machine to run the EZCMS certificate agent web service. This web service receives authenticated requests from EZCMS and then requests the certificate on behalf of EZCMS. In this page we will set up the Agent, from registering the gMSA to getting the Agent operational.

How-To: Self-Enroll YubiKeys and FIDO2 Keys Using your Existing Entra ID Account

Sun, 05 Oct 2025 01:22:09 -0500

How to Self-Enroll Smartcards and FIDO2 Keys for Entra CBA Using Entra ID and EZCMS

This page will guide you on how to create your passwordless identity, your organization might require you to have a hardware token if you have not requested a hardware token, please request one.

How To Onboard Phishing Resistant FIDO2 and Entra CBA with Existing Microsoft 365 Account

Open the EZCMS Tool.
Login.
Navigate to “Request Identity”.
Select “SSO Login” and click Next.
Connect the hardware key or smartcard to your computer.
Select the domain and account you want to create an identity for.
Select the Hardware key you want to use.
Enter your PIN (If this is the first time it will ask you to confirm your PIN).
Click “Next”
Follow the instructions on the screen (If it freezes, it might be waiting for input on your YubiKey, look at the YubiKey to see if it is flashing slowly, if it is, press the copper part).
Your Key is now read to use!

How-To: Unlock Preloaded Entra CBA SmartCard

Sun, 05 Oct 2025 01:22:09 -0500

Introduction - How to Unlock Preloaded Entra CBA SmartCard

If your IT department has preloaded your smart card with your identity, you will need to unblock the smart card before you can use it. This guide will show you how to unblock your smart card. To unblock your smartcard there are 3 different methods, depending on your organization’s settings, you might have one or more of the following options:

How To: Setup Certificate Authentication in GitHub

Thu, 02 Apr 2026 01:22:09 -0500

Introduction - Protecting Your GitHub Repositories with SSH Certificates

EZSSH Helps you protect your code hosted in GitHub by removing the non-expiring ssh keys from the equation. Instead using your secure corporate identity to authenticate the engineers and issuing a short term SSH certificate that can be used to authenticate with GitHub.

Prerequisites

Before you can set up SSH Certificate Authentication for GitHub, you will need to have the following:

How-To: Connect to Multiple Endpoints at Once with EZSSH

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Tenant Prerequisites

The following prerequisites have to be done only once per tenant.

Video Version

Getting the CSV

The easiest way to get a CSV of your endpoints is using EZSSH Interactive Mode.

How-To: Issue SCEP Certificates to Linux Devices with Intune

Mon, 30 Mar 2026 08:00:00 -0500

Introduction - How to Issue SCEP Certificates to Linux Devices with Intune

This guide shows how to issue X509 certificates to Linux devices with Microsoft Intune and SCEP. You will create:

A Trusted Certificate profile to establish trust with your CA chain.
A SCEP Certificate profile to request and install certificates for users or devices.

While Intune has SCEP profiles for Mac and iOS devices, Windows, and Android, it does not have a specific profile for Linux devices. However, we have created some custom profiles that will allow you to issue certificates to Linux devices.

How-To: Register ADCS Agent in EZCA

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Introduction

The last step to linking EZCA to your existing ADCS CAs is registering the CA in EZCA.

Registering the CA in EZCA

Navigate to the EZCA portal.
Navigate to Certificate Authorities.
Click on the “Create CA”.
Select ADCS CA.
Press Next.

Connect CAs

Now we will connect EZCA to all the CAs you want to manage with EZCA.

How-To: Manage your Cloud RADIUS Local Users

Mon, 03 Nov 2025 01:22:09 -0500

Prerequisites

Introduction - How to Manage Local RADIUS Users in EZRADIUS

While we recommend using EAP-TLS for your RADIUS users, we understand that some devices might not support this protocol and you might have to fall back to passwords. In this page we will go through how to manage your Local users and passwords in EZRADIUS.

How-To: Distribute WiFi Profiles For Entra ID to non managed Apple iOS devices

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles for Entra ID to non managed iOS devices with EZRADIUS

If your organization has enabled self-service wifi profiles you can create your own Wi-Fi profile for Entra ID for your Apple devices. There are three ways to obtain them: EZRADIUS sent you an email with the profile, you downloaded the profile from the EZRADIUS portal, or request an email with your profile from the EZRADIUS portal.

How-To: Delete/Unassign Smartcards and FIDO2 Keys for Entra CBA

Sun, 05 Oct 2025 01:22:09 -0500

Overview - How to Delete/Unassign YubiKeys and FIDO2 Keys for Entra CBA

When a user no longer needs a the smartcard or FIDO2 key, EZCMS gives you two options, one is to remove the user assignment of that key allowing you to re-use that card by assigning it to a new user, or delete the key from the inventory invalidating all it’s certificates and preventing this smart card to be assigned again.

How-To: Preload Smartcards and FIDO2 Keys for Entra CBA

Sun, 05 Oct 2025 01:22:09 -0500

Overview - How To Preload Smartcards and FIDO2 Keys for Entra CBA

For highly regulated industries, the PIV standard requires in person verification to create the smart card, this page explains how a smart card administrator can create smart cards for users. While this is how smartcards have been created in the past, if this is not a regulatory requirement, we recommend using the self-service smart card and FIDO2 creation for a more streamlined process.

How-To: Access GitHub with EZSSH

Mon, 30 Mar 2026 08:00:00 -0500

Tip

If you are having trouble authenticating to your git repository, make sure to check out our Troubleshooting git problems guide

Prerequisites

Download EZSSH

Tenant Prerequisites

Your tenant admin/GitHub admins must connect EZSSH to GitHub Enterprise before users are able to login to Git using EZSSH.

Video Version

Usage

Go to your favorite terminal, and enter:

ezssh git

The first time it will ask you to login with your Azure Active Directory Account
You should get a “GitHub identity created successfully” message
Start using your favorite Git Tool for committing your code!

Note

EZSSH Git certificates are short lived (based on your organizations settings might last between 1 and 72 hours). You will have to run this command each time the certificate is expired.

How-To: Create Dashboards for EZRADIUS your Cloud RADIUS Service in Azure

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Create Dashboards for EZRADIUS in Azure

If you are pushing your EZRADIUS logs to Azure Log Analytics, Azure Sentinel, or Azure Monitor, you can create dashboards to monitor your RADIUS service. We have created a dashboard template that you can import into your Azure Monitor workspace. Once imported, you can customize the dashboard to fit your needs.

How-To: Export EZSSH Logs to Azure Sentinel

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Video Version

Introduction

EZSSH enables your security team to monitor access granted through EZSSH by pushing the information to your SIEM. If your SIEM provider is not currently supported email your Keytos contact and request a connector for that specific provider.

How-To: Retrieve User PUK

Mon, 30 Mar 2026 08:00:00 -0500

Overview

If PUK retrieval is activated in your subscription, your IT team can help users unblock their blocked smart card by leveraging the SmartCard’s Pin Unblocking Key (PUK) a key that allows you to reset the pin without having to reset the smart card and lose the cryptographic keys.

Note

This setting cannot be retroactively enabled since EZSmartCard will not store the randomized PUKs if PUK retrieval is not enabled.

How-To: Enable WiFi Certificate Authentication For Linux in Intune

Wed, 25 Mar 2026 01:22:09 -0500

Prerequisites

Registering the application in your tenant
Creating Cloud Radius Instance
Being a Subscription Owner or Network Administrator
Being an MDM Administrator.
Have a certificate in the Device, if you do not have one, follow the guide on how to create Intune SCEP profiles for Linux.

How to Linux Enable WiFi Certificate Authentication in Intune

Go to your Intune portal: https://aka.ms/Intune
Select: Devices -> Linux -> Scripts.
Click the “Add” button.

How-To: Distribute WiFi Profiles to non managed devices For Entra ID

Tue, 21 Oct 2025 01:22:09 -0500

How to Distribute WiFi Profiles to non managed Windows devices with EZRADIUS

While this is not necessary since you can setup windows for Entra ID Wifi Authentication, If your organization has enabled self-service wifi profiles you can create your own Wi-Fi profile for your Windows devices. There are three ways to obtain them: EZRADIUS sent you an email with the profile, you downloaded the profile from the EZRADIUS portal, or request an email with your profile from the EZRADIUS portal.

How-To: Use EZRADIUS Cloud RADIUS with Microsoft Intune Cloud PKI

Tue, 21 Oct 2025 01:22:09 -0500

How Can I Use My Cloud PKI Certificates with RADIUS for Passwordless Wi-Fi Authentication?

Microsoft Cloud PKI allows you to issue certificates to your Intune-managed devices. But once you have certificates on your devices, how can you use them for Wi-Fi authentication?

EZRADIUS Cloud RADIUS natively supports certificate-based authentication, making it easy to leverage your Cloud PKI certificates for secure, passwordless Wi-Fi access. No more passwords or complex on-premises RADIUS servers. Just configure EZRADIUS to trust your Cloud PKI and you’re set.

Learn the Differences in Cryptographic Algorithms for PKI

Tue, 21 Oct 2025 01:22:09 -0500

What are RSA Keys

RSA (Rivest Shamir Adleman) has been the standard for asymmetric cryptography for 3 decades. RSA uses the prime factorization method for one-way encryption of a message. While certain attacks have been found due to poorly implemented random number generation, this method has passed the test of time by being a trusted cryptographic method for over 3 decades with no significant findings. While the algorithm is very secure, with the advances on compute, factorizing large numbers has become easier for large computers, forcing the industry to move from 512 bit keys, to 1024 bit keys, and now 2048 bit keys and some governments recommending 4096 bit keys.

How-To: Transfer Your EZCA Cloud Certificate Authority to a New Subscription

Mon, 30 Mar 2026 08:00:00 -0500

Overview - Transfer Your EZCA Cloud CA to a New Subscription

This guide provides step-by-step instructions on how to transfer your EZCA Cloud Certificate Authorities to a new subscription. This is required if you have a trial subscription which has expired or if your old subscription was deleted or otherwise expired.

Can I Re-Enable My Old EZCA Subscription?

If your old subscription was deleted or expired, it cannot be re-enabled. You will need to create a new subscription and transfer your certificate authorities to it.

How-To: View Cloud RADIUS Audit Logs

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Introduction - How to View Cloud RADIUS Audit Logs in EZRADIUS

While we recommend connecting your Cloud RADIUS instance to your SIEM (Or an Azure Log Analytics workspace) and create Azure Dashboards, EZRADIUS also allows you to view the audit logs of your Cloud RADIUS instance. In this page we will go through how to view these logs.

How-To: Transfer Your EZRADIUS Cloud RADIUS Policies to a New Subscription

Wed, 04 Feb 2026 09:30:00 -0500

Overview

This guide provides step-by-step instructions on how to transfer your EZRADIUS Cloud RADIUS policies to a new subscription. This is required if you have a trial subscription which has expired or if your old subscription was deleted or otherwise expired.

Can I Re-Enable My Old Subscription?

If your old subscription was deleted or expired, it cannot be re-enabled. You will need to create a new subscription and transfer your policies to it.

Learn About PKI Validity Periods & Revocation Best Practices

Tue, 21 Oct 2025 01:22:09 -0500

How To Select a CA Validity Period

When designing the validity period of a Certificate Authority (CA), many factors have to be taken into consideration: Lifetime of the parent CA, desired lifetime for issued certificates, key algorithm used, and security of the private key. Now let’s look into what you have to take into account when looking at each of the factors mentioned.

Lifetime of the parent CA and desired lifetime for issued certificates are both based on the fact that CAs cannot issue certificates that are longer than their lifetime. Let’s look at a scenario where you want to issue 2 year certificates in a two tier PKI. The intermediate CA’s validity period has to be larger than 2 years, ideally you would want to be able to achieve at least one rotation of certificates before having to rotate the CA, meaning that the intermediate CA’s validity period has to be larger than 4 years. Industry standards would recommend to have an intermediate CA of 5 years and create a new intermediate CA to replace it after 2.5 years, giving IT administrators enough time to push the new intermediate CA certificate to clients before the 3 year mark where the first intermediate CA would not be able to issue 2 year certificates. Once we have established the lifetime of the intermediate CA we can establish the minimum validity period for the root CA: >10 years.

How-To: Select an EZSSH Plan in Azure Portal

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Registering the application in your tenant

Video Version

Creating the Azure Resource

Go to https://portal.azure.com/
Click on “Create a resource”.
Type “EZSSH” in the search bar.
Press enter.
Select the EZSSH offering
Select the plan.
Click the “Set up + Subscribe” button
Enter your subscription and resource group information.
Click the “Review + Subscribe” button
Enter your email and phone number
Click the “Subscribe” button
Once the subscription is complete, click the “Configure account now” button.
This will redirect you to our portal (https://portal.ezssh.io/). Sign in with your same Microsoft account.
EZSSH will now show the features that are included your plan.
Enable or disable if you want to also issue GitHub certificates. Note: Only one GitHub subscription is allowed per Azure Tenant.
Once the subscription details are correct, click the “Purchase Plan” button.
Once you have registered in EZSSH, the status in your Azure resource will change to subscribed.
Once you are registered, you are ready to connect to your Azure Subscriptions and GitHub Instances.

How-To: Troubleshoot EZCMS Administration Issues

Tue, 03 Mar 2026 08:00:00 -0800

If you are trying to sign up for EZCMS and you are getting an error that says “No Results Found” when trying to add your administrators, it means that the EZCMS AAD application does not have permission to view your tenant users, please register the application, and open a new tab and reauthenticate.

Error When Testing FIDO2 Or Phone Tenant Connection

If you get the following error:

Learn How to Secure your IoT Devices in Azure with Certificates

Mon, 30 Mar 2026 08:00:00 -0500

Azure IoT Best Practices - Video Overview

Overview - How to Secure Your IoT Devices

With IoT’s gaining popularity, it has become a must have for many businesses, but as any emerging technology, IoT has been also grabbed the attention of hackers. Most IoT attacks from small attacks directed to specific companies, to large scale attacks such as the attack on DNS infrastructure by the Mirai Botnet, have a weak identity story to manage the IoT devices in common. As this space matures, it is our responsibility to apply best practices to protect users around the world from these bad actors. In this document we will share a guide outlining best practices to help you architect a secure and compliant device provisioning system.

How-To: Enable Azure IoT Hub Certificate Authentication in EZCA

Mon, 30 Mar 2026 08:00:00 -0500

⚠️ This step is optional

Only follow this guide if you intend to have EZCA automatically manage new CA certificates in your Azure IoT Hubs. If you do not leverage Azure IoT Hub, or if you plan to manually add CA certificates to your IoT Hubs, you can skip this step.

Enable Azure IoT Hub Access For Certificate Authentication in EZCA

If you are using EZCA for Azure IoT and would like to EZCA to automatically add new CA certificates to Azure IoT, EZCA must to have Contributor role access to your IoT Hubs. With this access, EZCA will be able to automatically add new CA certificates to your IoT Hubs, and rotate your CAs when they expire. If you would also like EZCA to disable your IoT devices when a certificate is revoked, EZCA must also have the IoT Hub Registry Contributor role on your IoT Hubs as well.

How-To: Issue SCEP Certificates in Jamf Pro

Thu, 12 Mar 2026 09:00:00 -0800

How To Configure Jamf Pro SCEP Certificate Authority - Video Guide

The following video will guide you through all the steps from start to finish to create a SCEP profile in Jamf Pro using your EZCA SCEP CA.

How to Configure Jamf Pro SCEP Certificate Authority - Step by Step Guide

The following steps will walk you through the process of configuring Jamf Pro to issue SCEP certificates using your EZCA SCEP CA.

How-To: Authenticate with Certificates to Azure IoT Hub

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

(PKI Admin) Created a Subordinate CA in Azure

Overview - How to Authenticate with Certificates to Azure IoT Hub

How-To: Register Devices in Azure IoT Hub For Certificate Authentication Using Azure IoT Device Provisioning Service

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

(PKI Admin) Created a Subordinate CA

Overview - How To Use Azure Device Provisioning Service to Automatically Provision IoT Devices

X509 Certificates are the most secure way for IoT devices to authenticate with Azure. In this tutorial, we will show you how to use Azure Device Provisioning Service to automatically enroll and connect your IoT devices to Azure in a secure and compliant way.

Warning

Using Device Provisioning Service does not support CA certificate rotation and forces you to re-enroll the device each certificate rotation. To get the full certificate automation that our Azure IoT Certificate Integration offers We recommend using IoT Hub CA Certificate Authentication instead. Here is a guide on how to set it up.

How-To: Issue SCEP Certificates in Jamf Now

Wed, 25 Feb 2026 08:30:00 -0800

Overview - What is Jamf Now?

Jamf Now is a cloud-based mobile device management (MDM) solution designed for small businesses. It allows organizations to easily manage and secure their Apple devices, including iPhones, iPads, and Macs.

Does Jamf Now Support SCEP Certificates?

Yes, via Custom Profiles. While Jamf Now does not directly support SCEP certificate issuance (as of writing), it does allow you to configure Custom Profiles via Apple Configurator which can be used to deploy SCEP certificates to your devices. The guide below will walk you through how to use Custom Profiles in Jamf Now to issue SCEP certificates from your EZCA SCEP CA.

How-To: Issue SCEP Certificates in Apple Configurator

Wed, 25 Feb 2026 08:30:00 -0800

Overview - What is Apple Configurator?

Apple Configurator is a macOS application that allows administrators to configure and deploy iOS, iPadOS, and tvOS devices in bulk. It provides tools for creating and installing configuration profiles, including SCEP certificates, on Apple devices.

Does Apple Configurator Support SCEP Certificates?

Yes. Apple Configurator has built-in support for creating and deploying SCEP certificates to Apple devices. You can use Apple Configurator to create a configuration profile that includes a trusted Certificate and SCEP payload, which can then be installed on your devices to issue SCEP certificates from your EZCA SCEP CA.

How To: Create IoT Edge EST Certificate Authority

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

An Azure IoT Hub Instance
An Azure IoT Device Provisioning Service Instance
A Linux Machine running IoT Edge (For this one just install IoT Edge, once you get to the provisioning the device with it’s cloud identity section, jump to this guide)

Overview - Create IoT Edge Certificates Using a Cloud Based EST Certificate Authority

Azure IoT Edge devices need a secure way to authenticate to the cloud, however, managing certificates in IoT devices can be a challenge. Azure IoT Edge supports the Enrollment over Secure Transport (EST) protocol which allows devices to request certificates from a Certificate Authority (CA) in a secure way. This guide will walk you through creating a CA in EZCA that can issue certificates to IoT Edge devices using the EST protocol.

How-To: Connect SCEP CA To ManageEngine MDM Plus

Tue, 21 Oct 2025 01:22:09 -0500

EZCA, the first Azure based PKI, enables you to create a secure and compliant certificate authority in Azure in minutes one of the MDMs we are happy to integrate with is ManageEngine Mobile Device Manager Plus. In this page we will guide you on how to connect your CA to ManageEngine MDM Plus.

Prerequisites - Create your Cloud Certificate Authority

This page assumes that you have already created your SCEP CA.

How to Issue SSL Certificates in ManageEngine Mobile Device Manager Plus - Video Version

How To Connect Your CA to ManageEngine MDM Plus For SCEP Certificate Issuance

The first step, is to download your CA certificate. To do this, navigate to the EZCA portal (If you have your private instance go to that specific portal)
Login with an account that is registered as a PKI Admin in EZCA.
Navigate to Certificate Authorities.
Click on the “View Details” CA you want to connect to ManageEngine MDM Plus.
Click on the “Download CA Certificate” button.
Repeat this step for all locations of the CA.
If you also have a Root CA, download the Root CA certificate as well.
In another Tab, navigate to your ManageEngine MDM Plus portal.
Click on the device Mgmt tab and Select Certificates in the left menu.
Click on the “CA Severs” tab at the top.
Click on the “Add CA Server” button.
Select the “Generic SCEP” option.
Enter a CA Name (this is just so you identify it under ManageEngine MDM Plus).
Go Back to your EZCA tab, in the CAs list, and click “View Requirements” for the CA you want to connect to ManageEngine MDM Plus.
Ensure “Enable SCEP Static Challenge” is checked. If not, Check the option and click “Save Changes” on the top right.
Now you will copy the Static Challenge SCEP URL
Go back to your ManageEngine MDM Plus tab, and paste the URL in the “SCEP Server URL” field.
Click the “Add Certificate Link”
Select your SCEP CA certificate from your computer.
Click the “Add Certificate Button”
Click the “Save” button.
Enter a Certificate Template Name (this is for reference in the ManageEngine MDM Plus portal).
Enter the Subject Name (this is the name of the certificate that will be issued to the device). You can do dynamic names based on the user requesting them with their keywords for example CN=%USERNAME% will issue the certificate with the username of the user requesting the certificate.
If your infrastructure requires, add the settings for Subject Alternative Name (SAN) of the certificate, this field is also commonly used for certificate authentication.
Enter the maximum number of attempts for a failed request and how long to wait between failed attempts.
In Challenge Type, select “Static”.
Go Back to the EZCA Tab, and copy the “SCEP Challenge”.
Paste the SCEP Challenge in the “SCEP Challenge” field in ManageEngine MDM Plus.
Set the Key Size to 2048.
Select what you want your users to use the Key for (Digital Signature and/or Key Encipherment).
Set the Certificates to Automatically Renew.
Click the “Save” button.
If you also have a root certificate, Go to the Certificates Tab and Also add that certificate.

How To Create Your Manage Engine MDM Plus Profile

In the ManageEngine MDM Plus portal, click on the “Profiles” menu on the left.
Click “Create Profile” and select your desired platform.
Enter a name for the profile.
Click Continue.
On the Left Menu, click on “SCEP”.
Select your SCEP template we created above.
Click “Save”.
On the left menu, click on “Certificate”.
Select the SCEP certificate we created above.
Click “Save”.
Add any other settings you might want to add to this profile, and then click publish.
If you also have a Root CA, create another profile to push that certificate to the certificate root store of your computer.
Now you can assign this profile to your devices.
Assign it to your first device and verify that your certificate was issued.

How To: Create EST Certificates for Azure IoT Hub

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

(PKI Admin) Created a Subordinate CA in Azure (SSL Template)

Overview - How to Authenticate with Certificates to Azure IoT Hub

X509 Certificates are the most secure way for IoT devices to authenticate with Azure IoT Hub. In this tutorial, we will show you how to create an Certificate Authority in Azure using EZCA and connect your IoT devices to Azure IoT Hub in a secure and compliant way. Once the bootstrap certificate is created, we must think about the renewal process. EZCA has multiple ways to achieve this, one is using our EZCA Nuget Packet with Code Samples, you can see the documentation for that and code samples here. Another way is using EST (Enrollment over Secure Transport) to renew the certificates. In this tutorial, we will show you how to create a certificate using EST and connect it to Azure IoT Hub.

How-To: Manage an EZSSH Subscription

Tue, 03 Mar 2026 01:22:09 -0500

Introduction - What is an EZSSH Subscription?

An EZSSH subscription is a way to manage billing, configuration, and access for your EZSSH instance. When you sign up for EZSSH, you will be asked to create a subscription either directly through the EZSSH portal or through Azure. Once created, the subscription will be the central place to manage your EZSSH instance. You can have multiple subscriptions if you want to separate different teams or projects.

How-To: Distribute the EZCMS Application to Your Users via Microsoft Intune

Wed, 08 Apr 2026 07:30:00 -0700

Introduction - Distributing the EZCMS Application via Microsoft Intune

Due to your organization’s endpoints and configuration being build directly into the EZCMS application binary, it cannot be distributed through centralized app stores and must be distributed directly to your users. If you want your users to have a seamless experience where the EZCMS application is automatically installed on their devices without needing to manually download and install it, you can use a Mobile Device Management (MDM) solution like Microsoft Intune to distribute the EZCMS application to their devices.

How-To: Register EZCA Intune App

Wed, 01 Apr 2026 14:00:00 -0800

How to Register the Keytos Intune Application for EZCA

If you will be using EZCA with Microsoft Intune to issue SCEP certificates you will need to register the Keytos Intune Application in your tenant. This allows EZCA to connect to Intune and issue certificates for your Intune-managed devices.

Keytos Client vs Keytos Intune

Make sure you’ve consented both the Keytos Client and the Keytos Intune applications in your tenant. The Keytos Client application allows you to use the full functionality of the EZCA portal, while the Keytos Intune application allows EZCA to issue and manage certificates for your Intune-managed devices.

How-To: Create a SCEP CA with EZCA Cloud PKI

Wed, 01 Apr 2026 08:00:00 -0500

Prerequisites for Creating a SCEP CA in Azure

You have registered the Keytos Entra ID applications
You have created an EZCA subscription
If you plan to use Intune, you have registered the Intune application

How To Create a SCEP CA in EZCA Cloud PKI - Video Tutorial

Want to follow along with our video tutorial? Check out our video tutorial below where we walk you through how to create a SCEP CA in EZCA:

How-To Register the EZCA App in your Azure Tenant

Mon, 30 Mar 2026 08:00:00 -0500

How to Register the Keytos Applications for EZCA

EZCA uses two Entra ID Applications to authenticate you to our services. To register the Keytos applications in your tenant, use your Global Administrator account and follow these steps:

The easiest way to register the applications is to click the button below while logged in with your Global Administrator account:

How-To: Create a New Certificate in a Browser

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview

EZCA allows users to securely create a certificate in the browser by locally generating a private key in the browser and then requesting a certificate, following the PKI best practices of the private key never leaving the client’s computer.

How to Create a Certificate in Browser with EZCA

Navigate to https://portal.ezca.io/
Navigate to Domains.

How-To: Enable Self-Service user management for Cloud RADIUS with Entra ID in EZRADIUS

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Enable Self Service User Management in EZRADIUS

While we recommend using EAP-TLS for your RADIUS users, we understand that some devices might not support this protocol and you might have to fall back to passwords. If possible, we recommend using EAP-TTLs which can use your user passwords from Entra ID. However, if your networking gear (such as Meraki VPN) require other authentication methods such as PEAP-MSCHAPv2 or PAP, then you must use RADIUS local users, in this page we will guide you on how to setup self service user management for your users, allowing your users to manage their own passwords without help from your IT desk.

How-To: Export your EZMonitor SSL Monitoring Logs to Azure Log Analytics and Azure Sentinel

Mon, 30 Mar 2026 08:00:00 -0500

Do I Need Azure Sentinel?

This guide applies to both Azure Log Analytics and Azure Sentinel since Sentinel is built on top of Log Analytics. Azure Sentinel is not required if you only want to collect and analyze logs, but it provides additional security features if you choose to use it.

Prerequisites

The Keytos Entra ID application is registered in your tenant
You have an active EZCA plan
You are an Owner or User Access Administrator on the Resource Group containing your Log Analytics workspace.

How to Grant Log Contributor Permissions to the EZMonitor Application in Azure

To allow EZMonitor to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the Keytos application the following roles on the Resource Group containing your Log Analytics workspace:

How-To: Export your RADIUS Logs to Azure Log Analytics and Azure Sentinel

Mon, 30 Mar 2026 08:00:00 -0500

Do I Need Azure Sentinel?

Prerequisites

How to Grant Log Contributor Permissions to the EZRADIUS Application in Azure

To allow EZRADIUS to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the EZRADIUS application the following roles on the Resource Group containing your Log Analytics workspace:

How-To: Enable Cloud RADIUS with Entra ID Authentication in Fortinet FortiOS

Thu, 12 Mar 2026 01:22:09 -0800

Fortinet provides documentation on how to set up RADIUS on their website, which you can refer to for additional CLI commands and configuration options. This guide provides a basic overview of the steps involved in setting up RADIUS authentication with Fortinet devices.

Introduction - How to Protect Your Fortigate Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your Fortigate network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

How-To: Manage EZCA Resources with the EZCA Portal

Tue, 03 Mar 2026 01:22:09 -0500

Introduction to the EZCA Portal

The EZCA Portal is the primary way to manage your EZCA resources. It provides a user-friendly interface to manage your certificate authorities, domains, and certificates.

How To Manage Your EZCA Resources with the EZCA Portal

Throughout the EZCA documentation we primarily reference the EZCA Portal as the main way to manage your EZCA resources. When following along with the documentation, the portal will commonly be used to manage your EZCA resources. Refer to the specific guides in the documentation for more information on how to use the portal to manage your EZCA resources effectively.

How-To: Enable Cloud RADIUS with Entra ID Authentication in Ubiquiti Unifi

Fri, 06 Feb 2026 01:10:00 -0500

Introduction - How to Protect Your Ubiquiti Unifi Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your Ubiquiti Unifi network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

How To Set Up 802.1X Network Authentication on Windows

Thu, 29 Jan 2026 12:00:00 -0800

Note: While you can manually configure your Windows device to connect to an enterprise 802.1X network, we highly recommend using a Mobile Device Management (MDM) solution like Microsoft Intune to push the necessary network profiles and certificates to your devices. This ensures that all devices are consistently configured and reduces the risk of misconfiguration.

What is 802.1X Network Authentication?

At home, you probably just plug your computer into an ethernet cable or connect to a Wi-Fi network using a single password. It’s easy and convenient because at home you (usually) trust everyone who can connect to your network. However, in an enterprise environment, you want to make sure that only authorized users and devices can connect to your network. This is where 802.1X network authentication comes in. 802.1X is a network protocol that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is commonly used in enterprise networks to provide secure access to network resources.

How to Sign Into Entra ID Using Your Passwordless Security Key

Fri, 23 Jan 2026 08:30:00 -0800

To allow your users to sign into Entra ID using FIDO2 security keys (passkeys), you need to enable the FIDO2 authentication method in the Entra ID Admin Center. Follow these steps:

Navigate to the Entra ID Admin Center and log in with your Global/Entra Administrator account.
Under Authentication method policies, select Passkey (FIDO2).
Ensure that Enable is enabled.

How-To: Enable Cloud RADIUS with Entra ID Authentication in Cisco Meraki

Wed, 14 Jan 2026 01:22:09 -0800

Introduction - How to Protect Your Cisco Meraki Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your Cisco Meraki network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

How-To: Enable Cloud RADIUS with Entra ID Authentication in Ruckus Unleashed

Wed, 14 Jan 2026 01:22:09 -0800

Ruckus APs can operate in Unleashed mode or in controller-based mode. This guide focuses on Ruckus Unleashed, which is Ruckus’s controller-less WiFi solution for small to medium-sized businesses. For more information on setting up RADIUS with Ruckus in controller-based mode, refer to Ruckus’s official documentation such as the SmartZone docs or Ruckus cloud docs.

Introduction - How to Protect Your Ruckus Unleashed Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your Ruckus Unleashed network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

How-To: Enable Cloud RADIUS with Entra ID Authentication in TP-Link Omada

Wed, 14 Jan 2026 01:22:09 -0800

Introduction - How to Protect Your TP-Link Omada Network with Cloud RADIUS

Having a single Wi-Fi password for your network is a security nightmare. It’s impossible to know who has access to your network, and it’s nearly impossible to change the password regularly without causing major outages. The best way to secure your TP-Link Omada network is to use WPA-Enterprise with either certificates or individual user accounts for authentication.

How-To: Export your EZCA Cloud PKI Logs to Azure Log Analytics and Azure Sentinel

Fri, 19 Dec 2025 11:22:09 -0800

Do I Need Azure Sentinel?

Prerequisites

The Keytos Entra ID application is registered in your tenant
You have an active EZCA plan
You are an Owner or User Access Administrator on the Resource Group containing your Log Analytics workspace.

How to Grant Log Contributor Permissions to the EZCA Application in Azure

To allow EZCA to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the Keytos application the following roles on the Resource Group containing your Log Analytics workspace:

How-To: Export your EZCMS Logs to Azure Log Analytics and Azure Sentinel

Fri, 19 Dec 2025 11:22:09 -0800

Do I Need Azure Sentinel?

Prerequisites

The Keytos Entra ID application is registered in your tenant
You have an active EZCMS plan
You are an Owner or User Access Administrator on the Resource Group containing your Log Analytics workspace.

How to Grant Log Contributor Permissions to the EZCMS Application in Azure

To allow EZCMS to send logs to your Log Analytics and Azure Sentinel workspace, you need to grant the Keytos application the following roles on the Resource Group containing your Log Analytics workspace:

How-To: Restore Access to an Orphaned Domain

Tue, 11 Nov 2025 01:22:09 -0500

If a domain owner leaves your organization without transferring domain ownership, the domain becomes orphaned. An orphaned domain means that no current user or group has ownership rights to manage the domain in EZCA, which can prevent certificate requests and management for that domain.

How to Restore Access to an Orphaned Domain in EZCA

To restore access to an orphaned domain, you will need to have a PKI administrator for the Certificate Authority (CA) associated with the orphaned domain delete and re-register the domain with new owners. Follow these steps:

What is RADIUS and How Does it Work?

Mon, 03 Nov 2025 01:22:09 -0500

The Basics of RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Let’s break down what the “three A’s” mean:

Authentication: This is the process of verifying the identity of a user or device trying to access the network. RADIUS checks the credentials (like username and password or a certificate) against a database or certificate authority to ensure they are valid.
Authorization: Once a user is authenticated, RADIUS determines what resources or services the user is allowed to access. This could include specific network segments, bandwidth limits, or time-of-day restrictions.
Accounting: RADIUS keeps track of the user’s activity on the network. This includes logging session start and stop times, data usage, and any other relevant information for billing or auditing purposes.

What is RADIUS Used For?

One of the most popular use cases for RADIUS is in enterprise Wi-Fi networks. If you’ve ever logged into a secure Wi-Fi network at work or school, chances are RADIUS was involved in verifying your credentials and granting you access. Sometimes you may not even need to enter a password, as RADIUS can work with certificates installed on your device for seamless authentication. Ever wonder how your work or school laptop connects automatically to the Wi-Fi without prompting for a password? That’s likely RADIUS at work, using certificate-based authentication.

How-To: Create an Intune SCEP Certificate Authority with EZCA Cloud PKI

Wed, 01 Apr 2026 14:00:00 -0800

Introduction - How to Create an Intune SCEP Certificate Authority (CA)

Are you looking for a simple and scalable way to issue certificates to your Intune managed devices? In this guide, we will show you how to create a SCEP CA for Microsoft Intune using EZCA, a cloud-based PKI platform that allows you to easily manage your certificate authorities and issuance. With EZCA, you can create a SCEP CA in minutes and start issuing certificates to your Intune devices without the hassle of setting up and maintaining your own on-premises PKI infrastructure. Whether you are new to PKI or an experienced administrator, this guide will provide you with the steps and best practices to get started with Intune SCEP CA in Azure.

How-To: Install SCEP Certificate in Linux

Wed, 01 Apr 2026 01:22:09 -0500

Introduction - How to Install SCEP Certificates in Linux

In this page we will guide you on how to install a X509 certificate with EZCA SCEP in Linux with our script with a password-protected private key.

Prerequisites for Installing SCEP Certificates in Linux

Before you begin, make sure you have the following prerequisites in place:

You have created an Intune SCEP CA.
You have registered the Keytos Intune application in your Entra ID tenant.
You are an Intune administrator with permissions to create configuration profiles in Intune.
Make sure you have installed coreutils, curl, head, and openssl on your device.

How To Manually Issue SCEP Certificates to Linux Devices - Step By Step Guide

In this section, you will first enable static SCEP challenge in your EZCA portal, then use a script to request and install SCEP certificates for Linux devices.

How-To: Create an SSL Certificate in Windows, Mac, or Linux

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

Overview

This page guides you through how to create a certificate signing request (CSR) on your Windows, Mac, or Linux PC and sending it to EZCA to create a TLS Certificate.

How To Request a Certificate

Navigate to https://portal.ezca.io/
Navigate to Domains.
Click the “Request Certificate” button on the domain you want to request a certificate for.
This will pre-populate the Subject Name and Subject Alternate Names with the selected domain.
If this certificate requires more subject alternate names (Usually for other domains that might use this certificate), add them in the DNS Names section.
By Default, EZCA will request the certificate to be the maximum validity allowed by your administrators. If you want to decrease the lifetime of the certificate, adjust the validity slider.
Make sure the “Import CSR” Option is Selected.
Click the “How to create a CSR Locally” Link.
Select your Operating System

How To Create CSR in Windows

Download the .inf file

How-To: Enable MAC Address Bypass Cloud RADIUS with Entra ID in EZRADIUS

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Enable WiFi MAC Address Bypass (MAB) in RADIUS - Video Version

How to Enable MAC Address Bypass in EZRADIUS

If you are using RADIUS authentication, you might have devices that do not support EAP-TLS or other secure authentication methods. In this case, you can use MAC Address Bypass to allow these devices to connect to your network without needing to authenticate. This is not recommended for most devices as it is not secure, but it can be useful for devices that do not support secure authentication methods. To enable MAC Address Bypass, follow these steps:

How-To: Export your Cloud PKI Logs to Splunk

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud PKI Audit Logs To Splunk

Go to the EZCA Portal.
Click on Settings.
Expand your subscription’s advanced settings.

How-To: Export your EZCMS Logs to Splunk

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Export your Passwordless Onboarding Audit Logs to Splunk

How To Enable Log Export in EZCMS Portal

Go to your EZCMS portal.
Click on Settings.

How-To: Export your EZMonitor SSL Monitoring Logs to Splunk

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZMonitor SSL Monitoring Logs To Splunk

Navigate to the EZMonitor Portal.
Click on Settings.
Expand your subscription’s advanced settings.
Enable the “Send Alerts to SIEM” option.

How-To: Export your RADIUS Logs to Splunk

Mon, 30 Mar 2026 08:00:00 -0500

How To Connect Your Cloud RADIUS To Splunk

Go to your EZRADIUS portal.
Click on Settings.
Scroll to the bottom and enable the “Send Audit Logs” to SIEM option.
Select Splunk as the SIEM Provider.
In another tab, go to your Splunk instance.
Go to data inputs by clicking on the settings menu.
Add a new Http Event Collector.
Enter Keytos as the Name click next.
Leave input settings with the default values and click next.
Click Submit.
Copy the splunk token we just created. Note this is a credential so do not share it publicly.
Now let’s go back to the EZRADIUS portal and copy the url of your splunk instance and the token we just created.
Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM.
If the connection test is successful, click “Save changes” at the top of the subscription.
EZRADIUS will now send your security alerts to your SIEM. If an error occurs it will email your subscription administrators. See below to see the different events EZRADIUS will send.

How-To: Manage EZCA Resources with the EZCA Certificate Renewal Client

Wed, 25 Mar 2026 01:22:09 -0500

At Keytos, our goal is to make EZCA easy-to-use for every person in the world. One way to make this a reality is by removing humans as much as possible from the equation. To help companies achieve this goal, we have created a sample C# console application for Windows that can:

This application can be used in combination with Windows Task Scheduler to automatically renew certificates before they expire, ensuring that your systems remain secure and compliant without manual intervention.

How To Set Up 802.1X Network Authentication on macOS

Thu, 29 Jan 2026 12:00:00 -0800

Note: While you can manually configure your macOS device to connect to an enterprise 802.1X network, we highly recommend using a Mobile Device Management (MDM) solution like Microsoft Intune to push the necessary network profiles and certificates to your devices. This ensures that all devices are consistently configured and reduces the risk of misconfiguration.

What is 802.1X Network Authentication?

How to Sign Into Windows Using Your Passwordless Security Key

Fri, 23 Jan 2026 08:30:00 -0800

Using a passwordless security key, such as a FIDO2 key or a Smart Card, to sign into Windows devices offers enhanced security and convenience. These keys provide strong authentication methods that are resistant to phishing attacks and other common threats associated with traditional passwords. By leveraging hardware-based authentication, users can enjoy a seamless sign-in experience while maintaining high security standards.

How-To: Create and Manage Local Users in Cloud RADIUS with Entra ID in EZRADIUS

Mon, 03 Nov 2025 01:22:09 -0500

Prerequisites

The Network Administrator Must Enable Self Service User Management

How to Create a User in Cloud RADIUS with Entra ID in EZRADIUS

Go to your EZRADIUS portal. (This will be provided by your network administrator)
Click on “Manage Account”
By default you will see the username that your network administrator has assigned to you. If your network administrator has enabled custom usernames, you can change your username by changing the text in the “Username” field. (If it does not allow custom usernames, you will not be able to change your username)

What are the Differences Between Classic RADIUS and RadSec?

Tue, 28 Oct 2025 01:22:09 -0500

Why are There Different Types of RADIUS?

Classic RADIUS

Classic RADIUS was introduced in the early 1990s as a protocol for managing network access. It uses UDP (User Datagram Protocol) for communication, which is fast but lacks built-in security features. As networks grew and started to span untrusted environments like the internet, the need for a more secure version of RADIUS became apparent. This led to the development of RadSec, which uses TCP (Transmission Control Protocol) and TLS (Transport Layer Security) to provide encrypted communication.

How-To: Enable Self Service User Certificates

Wed, 01 Apr 2026 08:00:00 -0500

Introduction - What are Self Service User Certificates?

If you are using X509 Certificates for user authentication either for Wi-Fi or a VPN, you might have setup a SCEP CA that connects to your MDM and enables your to automatically create certificates for your users. However, some users that require certificates for your organization might not have a device managed by your MDM. In this case you can enable self service user certificates for your users. This will enable your users to create their own certificates for authentication and encryption with a single in our portal; removing the need of an MDM.

How-To: Add PKI Administrators to your Azure PKI

Mon, 30 Mar 2026 08:00:00 -0500

What is a PKI Administrator?

A PKI Administrator is an Entra ID user or group that has been granted administrative privileges to manage your EZCA subscription and Certificate Authorities. PKI Administrators can perform tasks such as creating and managing CAs, issuing and revoking certificates, and configuring PKI settings.

When choosing PKI Administrators, it’s important to select individuals or groups who are trusted and have the necessary expertise to manage your PKI effectively. This may include members of your IT security team, system administrators, or other personnel responsible for managing digital certificates and encryption within your organization.

How-To: Export your Cloud PKI Logs to CrowdStrike Falcon

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud PKI Audit Logs To CrowdStrike Falcon LogScale

Go to the EZCA Portal.
Click on Settings.
Expand your subscription’s advanced settings.

How-To: Export your EZCMS Logs to CrowdStrike Falcon

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Export your Passwordless Onboarding Audit Logs to CrowdStrike Falcon

How To Enable Log Export in EZCMS Portal

Go to your EZCMS portal.
Click on Settings.

How-To: Export your EZMonitor SSL Monitoring Logs to CrowdStrike Falcon

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How to Grant Log Contributor Permissions to the EZMonitor Application in Azure

How-To: Export your RADIUS Logs to CrowdStrike Falcon

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Connect Your RADIUS Service To CrowdStrike Falcon LogScale

Go to your EZRADIUS portal.
Click on Settings.
Scroll to the bottom and enable the “Send Audit Logs” to SIEM option.
Select CrowdStrike Falcon LogScale as the SIEM Provider.
In another tab, go to your CrowdStrike Falcon LogScale instance.
Click on the Settings tab.
Select the “Ingest Tokens” menu.
Click on the “Add Token” button.
Enter the token name
Assign the json parser and click “Create”.
Copy the token and the ingest host name.
Go back to the EZRADIUS tab.
Paste the ingest host name in the “Ingestion Endpoint” field.
Paste the token in the “Ingestion Token” field.
Click the “Test Connection” button, this will create a test log in your SIEM to make sure EZRADIUS can write to the SIEM.
If the connection test is successful, click “Save changes” at the top of the subscription.

How To Create Alerts in CrowdStrike Falcon LogScale to Monitor Your Cloud RADIUS Activity

Using a SIEM enables you to create alerts for critical operations or abnormal behavior. We recommend setting up alerts for any high criticality event, and closely monitor medium and low events. Below are sample queries for the Administrator events.

How-To: Manage EZCA Resources with the Keytos Terraform Provider

Tue, 03 Mar 2026 01:22:09 -0500

Introduction to the Keytos Terraform Provider

The Keytos Terraform Provider is a tool that allows you to manage your EZCA resources and other Keytos resources using Terraform. It provides a way to define your infrastructure as code and manage it in a consistent and repeatable way.

🌐 Keytos Terraform Provider

Resource Types Available in the Keytos Terraform Provider

The Keytos Terraform Provider supports the following resource types for managing your EZCA resources:

How To Set Up 802.1X Network Authentication on Android

Thu, 29 Jan 2026 12:00:00 -0800

Note: While you can manually configure your Android device to connect to an enterprise 802.1X network, we highly recommend using a Mobile Device Management (MDM) solution like Microsoft Intune to push the necessary network profiles and certificates to your devices. This ensures that all devices are consistently configured and reduces the risk of misconfiguration.

What is 802.1X Network Authentication?

What are the Protocols Used by RADIUS?

Tue, 28 Oct 2025 01:22:09 -0500

Going Under the Hood of RADIUS

Lifting up the hood on RADIUS reveals a variety of protocols that facilitate its core functions of authentication, authorization, and accounting. When setting up a RADIUS server, they can be mixed and matched based on your organization’s security requirements and infrastructure capabilities. Below, we explore some of the most common RADIUS protocols and their typical use cases.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

EAP-TLS is widely regarded as the most secure RADIUS authentication method. It uses client-side certificates or smart cards to authenticate users, providing strong security without relying on passwords. In EAP-TLS, both the client and server present certificates to each other, ensuring mutual authentication.

How-To: Manage Certificates for SCEP CAs

Wed, 01 Apr 2026 08:30:00 -0800

There are multiple ways to issue and manage certificates in the EZCA portal. In this document we will go over how to manage certificates for your SCEP CA. This is more of an “Index” that will show all the different ways you can create your certificates in your cloud based CA. Each section will have a link to a more detailed document that will go over how to issue certificates in that specific way.

How-To: Create a User Certificate

Mon, 30 Mar 2026 08:00:00 -0500

How to create a user certificate

If your administrator has enabled self service user certificates, you can follow this guide to create your own certificates for authentication and encryption. go to the EZCA portal (If you have your private instance go to that specific portal) and login with your credentials. Once logged in, follow these steps to create your certificate.

Click on the “User Certificate” button.
If you have multiple profiles, you will see a Certificate Profile dropdown. Select the profile you want to use. (If you only have one profile, you will not see this dropdown).
Enter a Certificate Name (this is just for your reference).
If your administrator has enabled the option to save the private key in EZCA (this is used for S/MIME or encryption certificates where having a backup of the private key is important), you will see the option to save the private key in EZCA. If you do not see this option, please continue to create your certificate.
One of the advantages of saving your private key in EZCA is that you can have EZCA automatically rotate your certificate when it is about to expire. If you want to enable this option, check the “Automatically Renew Certificate Before it Expires” option. This option will automatically renew your certificate and send you an email instructing you to download the new certificate.
Click the “Create Certificate” button on the top right of the page, this might freeze your browser a few seconds while it creates your secure cryptographic key. Once you have created your certificate, you will see a page with the details of your certificate.

Now you are ready to install your certificate

How-To: Export EZSSH Logs to Datadog

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZSSH Audit Logs To Datadog

How To Enable Log Export in EZSSH Portal

Go to the EZSSH Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export EZSSH Logs to Huntress

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZSSH Audit Logs To Huntress

How To Enable Log Export in EZSSH Portal

Go to the EZSSH Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export your Cloud PKI Logs to Datadog

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud PKI Audit Logs To Datadog

How To Enable Log Export in EZCA Portal

Go to the EZCA Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export your Cloud PKI Logs to Huntress

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud PKI Audit Logs To Huntress

How To Enable Log Export in EZCA Portal

Go to the EZCA Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export your RADIUS Logs to Datadog

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud RADIUS Audit Logs To Datadog

How To Enable Log Export in EZRADIUS Portal

Go to your EZRADIUS Portal.
Click on Settings.

How Do I Set Up PKI Infrastructure for RADIUS to Use Certificates and EAP-TLS?

Tue, 28 Oct 2025 01:22:09 -0500

How Does Certificate-Based Authentication Work?

Check out our quick overview video to learn how certificate-based authentication works with RADIUS.

Why Are Certificates Better Than Passwords for RADIUS?

When it comes to securing network access, using certificates for RADIUS authentication offers several advantages over traditional usernames and passwords:

User Convenience: With certificates, users can authenticate without needing to remember complex passwords. Once the certificate is installed on their device, authentication can happen seamlessly in the background.
Stronger Security: Certificates provide a higher level of security compared to passwords, which can be weak, reused, or easily compromised. While passwords contain around 10-20 characters on average, certificates use cryptographic keys that are typically 2048 bits or longer, making them nearly impossible to brute-force using current technology.
Phishing Resistance: Certificates are not susceptible to phishing attacks, where attackers trick users into revealing their passwords. Since certificates are stored securely on the device and cannot be easily shared, they are much harder for attackers to steal.
Prevents Shared Credentials: Unlike passwords, which can be shared among multiple users, certificates are unique to each user or device. This ensures that only authorized individuals can access the network and only the resources they are permitted to use.
Works for Devices and Users: Certificates can be issued to both users and devices, allowing for flexible authentication scenarios. This is particularly useful for IoT devices or shared workstations where user credentials may not be practical.

If these benefits align with your organization’s security goals, setting up PKI infrastructure for RADIUS to use certificates and EAP-TLS is a worthwhile investment.

How-To: Create Domain Controller Certificates for Windows Hello Hybrid

Wed, 01 Apr 2026 08:00:00 -0500

Introduction - How to Create a Domain Controller Certificate with Cloud PKI

If you are trying to migrate your PKI to the cloud, but still have Domain controllers on premises, you might still need certificates for your domain controllers. This certificates can be used for regular Domain Controller operations such as Secure LDAP or more advanced scenarios like hybrid key trust deployment for Windows Hello For Business.

This guide will show you how to create this without the need of running ADCS (Active Directory Certificate Services) offloading all your PKI needs to EZCA.

How-To: Create Server Certificates with SCEP Cloud CA

Wed, 01 Apr 2026 08:00:00 -0500

Introduction - How to Create a Server Certificate with Cloud PKI

While EZCA SCEP CAs typically issue user and/or device certificates through an MDM solution such as Intune or Jamf, you can also use it to create server certificates for your network controllers or other servers that require certificate authentication, such as RADIUS servers, VPN servers, and web servers. This saves you from needing to deploy a second SSL CA or running ADCS (Active Directory Certificate Services) to issue server certificates.

How-To: Create a Certificate in Azure Key Vault

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Create and Automatically Rotate SSL Certificates in AKV - Video Version

Overview - How to Create a Private Certificate in Azure Key Vault

Azure Key Vault is the best way to manage certificates in Azure, it allows you to securely distribute your certificates to all your Azure resources. While Azure Key Vault (AKV) has automatic rotation for public certificates it does not work for your private certificate authority. To help you automatically rotate your private certificates (even for your Windows ADCS CA with our ADCS connection) in Key Vault, we have created a seamless integration with Azure Key Vault to enable users to create, request, and manage certificates in a few clicks from a single place.

How-To: Export your EZCMS Logs to Datadog

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZCMS Audit Logs To Datadog

How To Enable Log Export in EZCMS Portal

Go to your EZCMS portal.
Click on Settings.
Scroll down to SIEM Connection Settings and enable the Send Alerts to SIEM option.

How-To: Export your EZCMS Logs to Huntress

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZCMS Audit Logs To Huntress

How To Enable Log Export in EZCMS Portal

Go to your EZCMS portal.
Click on Settings.
Scroll down to SIEM Connection Settings and enable the Send Alerts to SIEM option.

How-To: Export your EZMonitor SSL Monitoring Logs to Datadog

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZMonitor SSL Monitoring Logs To Datadog

How To Enable Log Export in EZMonitor Portal

Navigate to the EZMonitor Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export your EZMonitor SSL Monitoring Logs to Huntress

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your EZMonitor SSL Monitoring Logs To Huntress

How To Enable Log Export in EZMonitor Portal

Navigate to the EZMonitor Portal.
Click on Settings.
Expand your subscription’s Advanced Settings.

How-To: Export your RADIUS Logs to Huntress

Mon, 30 Mar 2026 08:00:00 -0500

Prerequisites

How To Export Your Cloud RADIUS Audit Logs To Huntress

How To Enable Log Export in EZRADIUS Portal

Go to your EZRADIUS Portal.
Click on Settings.

How To Set Up 802.1X Network Authentication on Ubuntu

Wed, 25 Mar 2026 01:22:09 -0500

Note: While this guide is written for Ubuntu, these set of instructions should be the same with any other Linux distribution that runs GNOME with NetworkManager.

Note: While you can manually configure your Ubuntu device to connect to an enterprise 802.1X network, we highly recommend using a Mobile Device Management (MDM) solution like Microsoft Intune to push the necessary network profiles and certificates to your devices. This ensures that all devices are consistently configured and reduces the risk of misconfiguration.

How Do I Set Up MDM for RADIUS to Distribute Certificates and WiFi Profiles?

Tue, 28 Oct 2025 01:22:09 -0500

How Do I Push Certificates and WiFi Profiles to Devices for RADIUS?

When using certificate-based authentication with RADIUS, you’ll need a way to distribute the necessary certificates and WiFi profiles to your users’ devices. These include laptops, smartphones, tablets, and other endpoints that will connect to your network. It’s a lot of work to have users do this manually or to have them visit an IT help desk, so organizations typically use a Mobile Device Management (MDM) solution to automate this process.

How-To: Issue X.509 Certificates via the EZCA API

Tue, 21 Oct 2025 01:22:09 -0500

Introduction - How Can I Issue Certificates Through API?

EZCA is the first Cloud Certificate Authority build by developers for developers. We understand the importance of automation and have built our certificate authority API to be as simple as possible. To help you get started, other than supporting some usual PKI standards such as SCEP (SCEP Sample Code), ACME, and EST (EST Sample code) we have also created a swagger documentation that you can use to test our API, full documentation for IoT Certificate Issuance, and even a NuGet Package with sample code to help you issue certificates as quickly as possible. In this page we will focus on our own API and how you can use it to issue certificates.

How Does Intune Issue SCEP Certificates with EZCA?

Wed, 25 Feb 2026 08:30:00 -0800

What is SCEP?

SCEP, or Simple Certificate Enrollment Protocol (SCEP), is a certificate enrollment standard that enables devices to issue certificates by using a key provided by a 3rd party. The Certificate Authority (CA) must be able to communicate with this trusted third party (in this case Intune) to validate that the key provided by the device is allowed to request a certificate.

When are SCEP Certificates Used?

SCEP certificates are commonly used in scenarios where devices need to authenticate to a network or service without user interaction. For example, SCEP certificates can be used for:

How Can I Monitor My Network Using RADIUS Accounting Logs?

Tue, 28 Oct 2025 01:22:09 -0500

What are RADIUS Accounting Logs?

It’s important to know what users and devices are connecting to your network, how long they’re connected, and how much data they’re using. RADIUS accounting logs provide this information by recording detailed records of user activity on your network.

What Types of Accounting Logs Are Available?

RFC 2866 defines the standard RADIUS accounting attributes and log types.

The main types of RADIUS accounting logs include:

How-To: Manage EZCA Resources with the .NET Nuget SDK

Tue, 03 Mar 2026 01:22:09 -0500

Introduction to the .NET Nuget SDK

The .NET Nuget SDK allows you to write your own automation, applications, and tooling in .NET on top of the EZCA platform. It provides a way to programmatically manage your EZCA resources and integrate with other systems in your environment using .NET.

🌐 EZCA .NET Nuget SDK

Code Samples for Using the .NET Nuget SDK

Want to see examples of how to use the .NET Nuget SDK to manage your EZCA resources? Check out the EZCA Cert Client which is built on top of the EZCA API and the .NET Nuget SDK to manage EZCA resources. The Cert Client is an open source project, so feel free to explore the codebase and see how the SDK is used to call the EZCA API and manage EZCA resources.

EZCA Frequently Asked Questions

Fri, 13 Mar 2026 08:45:00 -0800

EZCA Plans and Pricing

How Am I Billed for EZCA?

Only your Certificate Authorities (CAs) are billed in EZCA at a flat fee per month. Once you create a CA, you can create unlimited certificates (within the rate limits of your CA tier) at no additional cost. There are no additional costs for features such as SCEP, ACME, OCSP, or CRL hosting. All these features are included in the monthly cost of the CA. The only time you will incur additional costs is if you create multiple CAs or geo-redundant CAs in different regions, as those are separate CAs that each have their own monthly cost.

How-To: Manage EZCA Resources with the EZCA API

Tue, 03 Mar 2026 01:22:09 -0500

Introduction to the EZCA API

The EZCA API allows you to write your own automation, applications, and tooling on top of the EZCA platform. It provides a way to programmatically manage your EZCA resources and integrate with other systems in your environment.

🌐 EZCA API Swagger Reference

Code Samples for Using the EZCA API

Want to see examples of how to use the API to manage your EZCA resources? Check out the EZCA Cert Client which calls the EZCA API to manage EZCA resources.

Cloud RADIUS Frequently Asked Questions

Fri, 13 Mar 2026 08:45:00 -0800

EZRADIUS Plans and Pricing

How Does RADIUS Billing Work?

We bill based on the number of unique identities (users or devices) that authenticate to EZRADIUS each month. For example, if you have 100 users in your organization but only 50 of them authenticate in a given month, you will be billed for 50 unique identities for that month. This billing model allows you to scale your RADIUS usage based on actual authentication activity, providing flexibility and cost-effectiveness for your organization.

SSL Monitoring Frequently Asked Questions

Fri, 13 Mar 2026 08:45:00 -0800

Integrations and Partnerships

Do I Need an Entra ID Tenant to Use EZMonitor?

Yes, an Entra ID (formerly Azure AD) tenant is currently required to create an EZMonitor subscription. This allows you to sign in to the EZMonitor portal using your Entra ID credentials and manage your SSL monitoring policies and settings.

Does EZMonitor Integrate with Other Identity Providers Like Okta or Ping Identity?

Not yet, currently EZMonitor is designed to work specifically with Entra ID (formerly Azure AD) as the identity provider. We do not currently support other identity providers such as Okta, Ping Identity, or others. However, we are constantly exploring new integrations and partnerships to expand our offerings and provide more options for our customers. If you have a specific identity provider in mind, please reach out to our sales team to discuss potential future integrations.

Zero Trust SSH Frequently Asked Questions

Fri, 13 Mar 2026 08:45:00 -0800

EZSSH Plans and Pricing

How Does EZSSH Pricing Work?

We bill based on the number of users who use EZSSH to access your infrastructure. For example, if you have 100 users in your organization but only 20 of them use EZSSH to access your servers, you will only be billed for those 20 users. This allows you to scale your usage and costs based on actual demand.

Passwordless Onboarding Frequently Asked Questions

Tue, 03 Mar 2026 08:45:00 -0800

Product Information

What Operating Systems Does EZCMS Support?

EZCMS supports Windows, Linux, and macOS operating systems. This means that users can onboard themselves to unphishable credentials regardless of their device and operating system.

Does EZCMS Support Elliptic Curve Cryptography (ECC) Keys?

Yes. EZCMS supports Elliptic Curve Cryptography (ECC) keys, which are an alternative to traditional RSA keys. ECC keys provide strong security with smaller key sizes, making them more efficient and faster to use.

Support Options for EZRADIUS

Thu, 04 Dec 2025 01:22:09 -0500

We offer a variety of support channels to help you learn about EZRADIUS and get it up and running in your environment as quickly and smoothly as possible.

Interested in EZRADIUS?

Considering EZRADIUS for your organization? We’re here to help you understand its features and how it can fit into your network infrastructure.

Free Demo with a Keytos Engineer

Interested in learning more about EZRADIUS and want to learn more from a Keytos engineer? Schedule a free call with our engineering team to discuss product capabilities and integration scenarios.

How-To: Troubleshoot Azure Key Vault Certificate Issues

Mon, 30 Mar 2026 08:00:00 -0500

How to Delete Azure Key Vault Pending CSR

If you are on this page you, got an email of a very rare error: EZCA created a CSR in your Azure Key Vault to request a certificate on your behalf, something happened and EZCA was not able to remove this request from your key vault. This causes the Key Vault to stay in a pending state blocking the issuance of new Certificates for that specific certificate, Fortunately it is very easy to fix just follow these steps:

How-To: Troubleshoot SSL/Issuing Certificate Authorities in EZCA

Mon, 30 Mar 2026 08:00:00 -0500

I Created a New Intermediate/Subordinate CA in EZCA But I See “Awaiting CA Certificate”

If you have created your intermediate/subordinate CA in EZCA but you get to the point where you see “Awaiting CA Certificate” in EZCA, it means that the CA has been created in EZCA but the certificate has not been signed by your Root CA. Follow these steps to complete the process.

How-To: Troubleshoot Intune SCEP Certificate Issues

Sun, 30 Nov 2025 01:22:09 -0500

How To Troubleshoot Intune SCEP Certificate Error - Overview

If you are having issues with Intune SCEP certificate issuance, and are confused by the “Error” with no additional information, this page will help you troubleshoot the most common issues with Intune SCEP Certificate Issuance. The first step to troubleshooting Intune SCEP if using EZCA is to go to EZCA and go to Certificate Authorities, if you have some misconfiguration in your CA you will see a red box with the error message. The most two common issues that you will see in EZCA are Note the error message will display for 24 hour after it is fixed:

Reference: EZRADIUS Swagger Documentation

Sun, 05 Oct 2025 01:22:09 -0500

Reference: EZSSH Swagger Documentation

Sun, 05 Oct 2025 01:22:09 -0500

Reference: EZCMS Pricing Breakdown

Sun, 05 Oct 2025 01:22:09 -0500

For the most up-to-date pricing information on EZSmartCard services, please visit [EZCMS Pricing](https://www.keytos.io/ezsmartcard_pricing.html).

Reference: EZMonitor Pricing Breakdown

Sun, 05 Oct 2025 01:22:09 -0500

For the most up-to-date pricing information on EZMonitor services, please visit [EZMonitor Pricing](https://www.keytos.io/ezmonitor_pricing.html).

Reference: EZRADIUS Pricing Breakdown

Sun, 05 Oct 2025 01:22:09 -0500

Reference: EZSSH Pricing Breakdown

Sun, 05 Oct 2025 01:22:09 -0500

For the most up-to-date pricing information on EZSSH services, please visit [EZSSH Pricing](https://www.keytos.io/ezssh_pricing.html).

Keytos Frequently Asked Questions

Sun, 30 Nov 2025 01:22:09 -0500

About the Company

When Was Keytos Founded?

Keytos was founded by Marcos Flegmann and Igal Flegmann, two brothers who had a shared vision of creating tools that would help organizations improve their security in a stress-free way.

They recognized that the problem with current security vulnerabilities wasn’t the lack of security protocols, but rather the complexity of following best practices. With more than 9 years of experience creating PKI (Public Key Infrastructure) and identity tools at Microsoft they were well-equipped to tackle this problem. They took their learnings from being world-class athletes and have made trust, persistence, and teamwork Keytos’s core values. These values have created a cohesive and high-performing team that, in a short time, has revolutionized the PKI and identity space.

Reference: EZCA Swagger Documentation

Tue, 21 Oct 2025 01:22:09 -0500

Reference: EZCA Pricing Breakdown

Tue, 21 Oct 2025 01:22:09 -0500

Visit EZCA Pricing for the most up-to-date pricing information on EZCA services.

Keytos Documentation on Keytos Docs

How-To: Issue SCEP Certificates to Windows Devices with Intune

Introduction - How to Issue SCEP Certificates to Windows Devices with Intune

How-To: Add EZSSH Access to Endpoints With Cloud Init

Prerequisites

Overview

How-To: Create a Subordinate ADCS CA in EZCA

Prerequisites

Overview - How To Create an External Issuing/Subordinate CA

How-To: Create Cloud RADIUS Network Policies for Certificate Authentication

Prerequisites

How to Create Cloud RADIUS Network Policies - Video Tutorial

Introduction to Managing Cloud RADIUS Network Policies in EZRADIUS

How-To: Create EZRADIUS Cloud Radius as an Azure Resource

Prerequisites

How to Create Cloud RADIUS - Video Tutorial

How To Create EZRADIUS as an Azure Resource

How-To: Issue Entra CBA Smart Cards with Azure PKI

Prerequisites for Creating Entra CBA Smart Cards with EZCMS and EZCA

Overview

Getting Started - Creating a Cloud PKI for Entra CBA

Entering Cloud CA Information

Cryptographic Requirements

Validity Period

CA Certificate Revocation List

CA Certificate Revocation List Advance Settings

How-To: Manage Passkey and Smart Card Settings for Entra ID

How to Set Instance Administrators

How-To: Register ACME Agent in EZCA

Registering the Agent in EZCA

How-To: Register the EZCMS Entra ID Application

Registering the Application

How-To: Register the EZRADIUS App in Your Azure Tenant

How to Register the Keytos Applications for EZRADIUS

Register the Keytos Applications in Your Entra Tenant

How-To: Register the Keytos EZMonitor Application

Registering the Application

How-To: Select an EZCA Plan in the EZCA Portal with a Free Trial

Prerequisites

Video Version

Sign up for 1 Month Free Trial

How-To: Select an EZMonitor Plan in the EZMonitor Portal

Prerequisites

Sign up for 1 Month Free trial

How-To: Select an EZSSH Plan in the EZSSH Portal

Prerequisites

Video Version

Sign up for 1 Month Free trial

How-To: Setup IIS

Introduction

Setting up the Server

Install IIS Windows feature

How-To: Distribute EAP-TLS WiFi Profiles to non managed Apple iOS devices with EZRADIUS

How to Distribute WiFi Profiles to non managed iOS devices with EZRADIUS

How to Install Wi-Fi Profile on MacOS - Video Tutorial

Option 1: Email Received from EZRADIUS

Learn About the Difference Between Private and Public CAs

What is The Difference Publicly Trusted CAs vs Private CAs

Learn How to Get Started with Certificate Authorities

What Are Certificate Authorities

Learn the Differences Between Root CA and Issuing CAs

What are the Differences Between a Root CA and Issuing CA

Root CA

How-To: Download EZSSH

Tenant Prerequisites

Windows

Command line tool

EZSSH UI

How-To: Register the Keytos Entra ID App in Your Tenant

Prerequisites

Register Keytos Entra Applications

Next Steps

How-To: Self-Enroll YubiKeys and FIDO2 Keys for Entra CBA Using Verifiable Credentials

Introduction - How to Self-Enroll Smartcards and FIDO2 Keys for Entra CBA Using Government ID EZCMS

Learn About EZSSH Policies

What Are EZSSH Policies?

How To Create Cloud Radius Free Trial with EZRADIUS

Prerequisites

How to Create Cloud RADIUS Free Trial

How-To: Add EZSSH Access to Endpoints With Bash Script