PKI · ADCS · Digital Trust

PKI & Certificates

Active Directory Certificate Services, certificate lifecycle management, trust hierarchy design, ADCS ESC attack paths, and enterprise PKI advisory content — for practitioners who run real PKI.

Latest PKI & ADCS News

Recent developments in certificate security and enterprise PKI

PKI Trust Hierarchy

How Root CA, Issuing CAs, and end-entity certificates form a chain of trust

Enterprise PKI Certificate Hierarchy — Root CA delegates authority to Intermediate CAs (User CA, Server CA, Device CA, Code Signing CA), each issuing end-entity certificates for their respective domains

Certificate Lifecycle

From request to revocation — the five stages of enterprise certificate management

Request
CSR generated, identity verified, template applied
Issuance
CA signs certificate, CRL/CDP published
Deployment
Certificate bound to service, auth configured
Renewal
Pre-expiry renewal, key rotation policy enforced
Revocation
CRL/OCSP updated, certificate invalidated

ADCS ESC Attack Paths

Known ADCS privilege escalation and abuse techniques — prioritized by risk

ESC paths ESC5, ESC7, ESC9–ESC13 are covered in the full ADCS Security Checklist. Download free →

Core PKI Concepts

Foundational knowledge for enterprise PKI practitioners

Certificate Authority Hierarchy

A PKI trust hierarchy consists of a Root CA (offline, air-gapped), one or more Issuing CAs (online, domain-joined), and optionally Policy CAs. The Root CA signs Issuing CA certificates; Issuing CAs sign end-entity certificates. The Root CA certificate is distributed via Group Policy to all domain members.

Root CAIssuing CATrust Chain

Certificate Templates

ADCS certificate templates define what a certificate can be used for (EKU), who can enroll, whether the subject is supplied by the enrollee or the CA, and key usage constraints. Misconfigured templates are the primary source of ADCS privilege escalation vulnerabilities (ESC1–ESC13).

EKUEnrollment RightsESC Paths

CRL & OCSP Revocation

Certificate Revocation Lists (CRLs) are signed lists of revoked certificate serial numbers published by the CA. OCSP provides real-time revocation status. CDP (CRL Distribution Point) extensions in certificates tell clients where to fetch the CRL. Broken CDP paths cause authentication failures.

CRLOCSPCDP

Certificate-Based Authentication

Kerberos PKINIT and Schannel use certificates for authentication. The client presents a certificate; the KDC or server validates the chain, checks revocation, and verifies the EKU. ADCS issues the certificates used in this flow — making PKI health directly tied to authentication security.

PKINITKerberosSchannel