One of my recent posts about installing a two-tier Public Key Infrastructure did remarkably well, even got mentioned for the third time in the Microsoft Entra Newsletter! After publications I got many offline questions so I decided to do a follow-up blog on what’s recommended when designing a PKI infrastructure, it’s all stuck in my head anyway, so why not write it down. This post is not meant to be a theoretical PKI handbook. It is a practical overview of PKI best practices and common mistakes seen in real-world environments and a bit of my own experiences.
Continue readingTag: #PKI
Over the years I’ve written quite a bit about cryptography. PKI, certificates, trust chains, identity, and even a deep dive into Diffie–Hellman key exchange. All fairly technical topics, and topics I genuinely enjoy writing about. Yet there was always something missing.
Continue readingOther parts in this series
How to: Build a PKI with PowerShell – Part 1 – Preparation
How to: Build a PKI with PowerShell – Part 2 – IIS WebServer
How to: Build a PKI with PowerShell – Part 3 – Offline Root CA
In the previous parts of this series, we’ve laid the foundation of my PKI infrastructure. I’ve designed the architecture, prepared the environment, built the web distribution layer, and established a secure and isolated Root Certificate Authority. With that foundation in place, I can now move on to the component that will actually issue certificates: the Enterprise Certification Authority.
Continue readingOther parts in this series
How to: Build a PKI with PowerShell – Part 1 – Preparation
How to: Build a PKI with PowerShell – Part 2 – IIS WebServer
How to: Build a PKI with PowerShell – Part 4 – Enterprise CA
In the previous part, I prepared the PKI Web Server, the semi-public-facing component responsible for distributing CRLs, certificates, and policy information.
In this part, I’ll move to the most sensitive and critical component of the entire PKI design: the Offline Root Certificate Authority. This system forms the foundation of trust. Everything else in the PKI ultimately depends on it, so it better be very secure!
Other parts in this series
How to: Build a PKI with PowerShell – Part 1 – Preparation
How to: Build a PKI with PowerShell – Part 3 – Offline Root CA
How to: Build a PKI with PowerShell – Part 4 – Enterprise CA
In the previous part, I’ve covered the design choices and preparation work needed before touching any infrastructure. In this part, I’ll finally start building something: the PKI Web Server.
I know, I know, not the most exciting exercise, but stay tuned, perhaps I’ll have some former Microsoft Security engineer tips here! However boring, this server plays a crucial role in the overall trust model. It hosts:
- The Certificate Revocation List (CRL)
- The Certificate Distribution Point (CDP)
- The Certification Practice Statement (CPS)
In short: it becomes the “public-facing” component of your PKI.
Continue readingOther parts in this series
How to: Build a PKI with PowerShell – Part 2 – IIS WebServer
How to: Build a PKI with PowerShell – Part 3 – Offline Root CA
How to: Build a PKI with PowerShell – Part 4 – Enterprise CA
Over the last couple of years, I’ve written a lot about Public Key Infrastructure (PKI). Not the “click next, next, finish” type of posts, but the deeper stuff, why you’d pick one design over another, and what trade-offs you’re really making.
Even so, I still see people struggling with PKI. Sometimes even setting up a relatively simple environment turns into a painful mix of conflicting guides, half-implemented best practices, and “set it and forget it” assumptions. The reality is: PKI quietly underpins almost everything we trust in modern IT environments, but it’s often poorly documented, inconsistently implemented, and rarely treated like the living service it actually is.
Continue reading