Back to Blog
Zero TrustJune 5, 20269 min read

PKI as a Zero Trust Primitive: How Certificate Identity Anchors Device Trust

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

Zero Trust security models require that every device be verified before being granted network access. Enterprise PKI — specifically ADCS-issued machine certificates — provides the cryptographic device identity that makes this verification possible. This article examines how machine certificates anchor device trust in Microsoft environments and what PKI health requirements Zero Trust imposes.

Device Identity in Zero Trust

Zero Trust's "never trust, always verify" principle requires that device identity be established cryptographically, not assumed from network location. A device on the corporate network is not inherently trusted — it must present verifiable identity credentials before accessing resources.

In Microsoft environments, this device identity is anchored by machine certificates issued by ADCS. The certificate proves that the device was domain-joined, passed compliance checks at enrollment time, and holds a private key that cannot be extracted from the device (when stored in the TPM).

Machine Certificate Enrollment

Domain-joined Windows devices automatically enroll for machine certificates from ADCS using the "Computer" or "Workstation Authentication" certificate template. This enrollment happens via autoenrollment, driven by Group Policy, and renews automatically before expiry.

The machine certificate is stored in the Local Machine certificate store and is used for 802.1X network authentication (NAP/NAC), VPN authentication, and as the device identity credential in Intune/Conditional Access policies.

PKI Health Requirements for Zero Trust

Zero Trust device trust is only as strong as the PKI that issues the device certificates. Several PKI health requirements become critical in a Zero Trust context:

  • CRL/OCSP availability — device certificates must be revocable in real time. If your CDP endpoints are unreachable, revoked device certificates continue to authenticate.
  • Certificate template security — if an attacker can enroll a certificate for an arbitrary device identity (ESC1), they can impersonate any device in your Zero Trust policy.
  • CA compromise — a compromised CA can issue fraudulent device certificates that pass all Zero Trust validation checks.
  • Certificate lifetime — short-lived certificates reduce the window of exposure for compromised devices.
Why It Matters

Zero Trust initiatives that rely on device certificates without a healthy underlying PKI are building on a weak foundation. ADCS vulnerabilities like ESC1 and ESC8 directly undermine device identity guarantees. Before deploying Zero Trust controls that depend on certificate identity, audit your ADCS environment.

Recommended Actions
  1. 1Audit ADCS for ESC vulnerabilities before relying on machine certificates for Zero Trust policy enforcement.
  2. 2Ensure CDP and OCSP endpoints are highly available and reachable from all network segments where devices authenticate.
  3. 3Use TPM-backed private keys for machine certificates to prevent certificate export and impersonation.
  4. 4Implement short certificate lifetimes (90 days or less) for device certificates with autoenrollment renewal.
  5. 5Monitor for anomalous machine certificate enrollments — unexpected device names or enrollment from non-standard hosts.
InsecurePlanet Take

Zero Trust and PKI are deeply coupled in Microsoft environments. Organizations investing in Zero Trust architecture should treat ADCS security as a prerequisite, not an afterthought. An ESC1-vulnerable ADCS environment with Zero Trust controls layered on top is not more secure — the certificate identity that Zero Trust relies on can be forged.

Zero TrustPKIDevice IdentityADCS
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon