diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_BYOCA_CA_deployment.png b/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/byoca-ca-deployment.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_BYOCA_CA_deployment.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-deployment/byoca-ca-deployment.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Understanding_certs_in_play_for_CBA_draft3.png b/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/certs-in-play-for-cba.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Understanding_certs_in_play_for_CBA_draft3.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-deployment/certs-in-play-for-cba.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_root_CA_deployment.png b/memdocs/intune/protect/media/microsoft-cloud-pki-deployment/root-ca-deployment.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_root_CA_deployment.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-deployment/root-ca-deployment.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Understanding_certs_in_play_for_CBA_draft1.png b/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/certificate-handshake.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Understanding_certs_in_play_for_CBA_draft1.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/certificate-handshake.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Chain_of_trust_draft1.png b/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/chain-of-trust.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Chain_of_trust_draft1.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/chain-of-trust.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Chain_validation-draft1.png b/memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/chain-validation.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/Chain_validation-draft1.png rename to memdocs/intune/protect/media/microsoft-cloud-pki-fundamentals/chain-validation.png diff --git a/memdocs/intune/protect/media/microsoft-cloud-pki/Architecture_flow.png b/memdocs/intune/protect/media/microsoft-cloud-pki/architecture-flow.png similarity index 100% rename from memdocs/intune/protect/media/microsoft-cloud-pki/Architecture_flow.png rename to memdocs/intune/protect/media/microsoft-cloud-pki/architecture-flow.png diff --git a/memdocs/intune/protect/microsoft-cloud-pki-deployment.md b/memdocs/intune/protect/microsoft-cloud-pki-deployment.md index e5eac7d524..3111e93b2c 100644 --- a/memdocs/intune/protect/microsoft-cloud-pki-deployment.md +++ b/memdocs/intune/protect/microsoft-cloud-pki-deployment.md @@ -112,12 +112,12 @@ Relying parties require the following CA certificate trust chain. The following diagram shows certificates in action for both client and relying parties. > [!div class="mx-imgBorder"] -> ![Diagram of the certificate flow for client and relying parties.](./media/microsoft-cloud-pki-deployment/Understanding_certs_in_play_for_CBA_draft3.png) +> ![Diagram of the certificate flow for client and relying parties.](./media/microsoft-cloud-pki-deployment/certs-in-play-for-CBA.png) The following diagram shows the respective CA certificate trust chains that must be deployed to both managed devices and relying parties. The CA trust chains ensure Cloud PKI certificates issued to Intune-managed devices are trusted and can be used to authenticate to relying parties. > [!div class="mx-imgBorder"] -> ![Diagram of the Microsoft Cloud PKI root CA deployment flow.](./media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_root_CA_deployment.png) +> ![Diagram of the Microsoft Cloud PKI root CA deployment flow.](./media/microsoft-cloud-pki-deployment/root-ca-deployment.png) ### Option 2: Bring your own CA (BYOCA) @@ -146,7 +146,7 @@ Relying parties trust the Cloud PKI BYOCA issued SCEP certificate to the managed The following diagram illustrates how the respective CA certificate trust chains are deployed to Intune managed devices. > [!div class="mx-imgBorder"] -> ![Diagram of the CA certificate trust chains that must be deployed to Intune managed devices.](./media/microsoft-cloud-pki-deployment/Microsoft_cloud_PKI_BYOCA_CA_deployment.png) +> ![Diagram of the CA certificate trust chains that must be deployed to Intune managed devices.](./media/microsoft-cloud-pki-deployment/byoca-ca-deployment.png) `*` In this diagram, *private* refers to the Active Directory Certificate Service or a non-Microsoft service. ## Summary diff --git a/memdocs/intune/protect/microsoft-cloud-pki-fundamentals.md b/memdocs/intune/protect/microsoft-cloud-pki-fundamentals.md index 6b97188e83..daebe76a9e 100644 --- a/memdocs/intune/protect/microsoft-cloud-pki-fundamentals.md +++ b/memdocs/intune/protect/microsoft-cloud-pki-fundamentals.md @@ -118,7 +118,7 @@ A certificate chain with an ordered list of certificates enables the relying par The following diagram illustrates the *name matching* chain validation flow. > [!div class="mx-imgBorder"] -> ![Diagram of the chain validation process using the name match method.](./media/microsoft-cloud-pki-fundamentals/Chain_validation-draft1.png) +> ![Diagram of the chain validation process using the name match method.](./media/microsoft-cloud-pki-fundamentals/chain-validation.png) ### Ensure a chain of trust @@ -127,7 +127,7 @@ When you use certificates to perform certificate-based authentication, you must The root CA must be present. If the issuing CA certificate isn't present, then it can be requested by the relying party using the native certificate chain engine for the intended OS platform. The relying party can request the issuing CA certificate using the leaf certificate's *authority information access* property. > [!div class="mx-imgBorder"] -> ![Diagram of the chain of validation process.](./media/microsoft-cloud-pki-fundamentals/Chain_of_trust_draft1.png) +> ![Diagram of the chain of validation process.](./media/microsoft-cloud-pki-fundamentals/chain-of-trust.png) ## Certificate-based authentication This section provides a basic understanding of the various certificates being used when a client or device performs certificate-based authentication. @@ -140,6 +140,6 @@ The following steps describe the handshake that takes place between a client and 4. The client presents its client authentication certificate to the relying party to authenticate. > [!div class="mx-imgBorder"] -> ![Diagram of a handshake between a client and relying party service.](./media/microsoft-cloud-pki-fundamentals/Understanding_certs_in_play_for_CBA_draft1.png) +> ![Diagram of a handshake between a client and relying party service.](./media/microsoft-cloud-pki-fundamentals/certificate-handshake.png) In an environment without Microsoft Cloud PKI, a private CA is responsible for issuing both the TLS/SSL certificate used by the relying party, and the device client authentication certificate. Microsoft Cloud PKI can be used to issue the device client authentication certificate, effectively replacing the private CA for this specific task. diff --git a/memdocs/intune/protect/microsoft-cloud-pki-overview.md b/memdocs/intune/protect/microsoft-cloud-pki-overview.md index 2defc1bc55..6d3653f538 100644 --- a/memdocs/intune/protect/microsoft-cloud-pki-overview.md +++ b/memdocs/intune/protect/microsoft-cloud-pki-overview.md @@ -97,7 +97,7 @@ The following table lists the features and scenarios supported with Microsoft Cl Microsoft Cloud PKI is made up of several key components working together to simplify the complexity and management of a public key infrastructure. It includes a Cloud PKI service for creating and hosting certification authorities, combined with a certificate registration authority to automatically service incoming certificate requests from Intune-enrolled devices. The registration authority supports the Simple Certificate Enrollment Protocol (SCEP). > [!div class="mx-imgBorder"] -> ![Drawing of the Microsoft Cloud PKI architecture.](./media/microsoft-cloud-pki/Architecture_flow.png) +> ![Drawing of the Microsoft Cloud PKI architecture.](./media/microsoft-cloud-pki/architecture-flow.png) `*` See **Components** for a breakdown of services. **Components**: