Active Directory Certificate Services, certificate lifecycle management, trust hierarchy design, ADCS ESC attack paths, and enterprise PKI advisory content — for practitioners who run real PKI.
Recent developments in certificate security and enterprise PKI
ESC8 is a documented ADCS exposure pattern involving NTLM relay to HTTP-based enrollment endpoints. Organizations with Web Enrollment enabled should assess EPA enforcement and apply available mitigations.
Read full articleStarting August 2026, Azure AD will enforce strict CA binding for certificate-based authentication. Organizations using third-party CAs or misconfigured trust anchors must act before the deadline.
Read full articleGoogle Chrome 128 removes trust for SHA-1 intermediate certificates, breaking authentication flows in enterprises still running legacy PKI hierarchies. Audit your chain now.
Read full articleA structured walkthrough of all known ADCS ESC attack paths, prioritized by exploitability and blast radius. Includes detection queries, template hardening steps, and CA configuration guidance.
Read full articleHow Root CA, Issuing CAs, and end-entity certificates form a chain of trust

From request to revocation — the five stages of enterprise certificate management
Known ADCS privilege escalation and abuse techniques — prioritized by risk
Misconfigured Certificate Templates
Enrollee-supplied Subject + low-privilege enrollment rights. Allows any user to request a cert as any principal.
Misconfigured Certificate Templates (Any Purpose)
Any Purpose EKU or no EKU set. Certificate can be used for any authentication purpose.
Misconfigured Enrollment Agent Templates
Enrollment Agent template abuse allows requesting certs on behalf of other users.
Vulnerable Certificate Template ACL
Write permissions on a template allow an attacker to modify it to introduce ESC1 conditions.
EDITF_ATTRIBUTESUBJECTALTNAME2 Flag
CA-level flag allows SAN specification in any request, enabling impersonation via any template.
NTLM Relay to ADCS HTTP Endpoints
Web Enrollment and CES endpoints accept NTLM auth, enabling relay attacks to obtain certificates.
ESC paths ESC5, ESC7, ESC9–ESC13 are covered in the full ADCS Security Checklist. Download free →
Foundational knowledge for enterprise PKI practitioners
A PKI trust hierarchy consists of a Root CA (offline, air-gapped), one or more Issuing CAs (online, domain-joined), and optionally Policy CAs. The Root CA signs Issuing CA certificates; Issuing CAs sign end-entity certificates. The Root CA certificate is distributed via Group Policy to all domain members.
ADCS certificate templates define what a certificate can be used for (EKU), who can enroll, whether the subject is supplied by the enrollee or the CA, and key usage constraints. Misconfigured templates are the primary source of ADCS privilege escalation vulnerabilities (ESC1–ESC13).
Certificate Revocation Lists (CRLs) are signed lists of revoked certificate serial numbers published by the CA. OCSP provides real-time revocation status. CDP (CRL Distribution Point) extensions in certificates tell clients where to fetch the CRL. Broken CDP paths cause authentication failures.
Kerberos PKINIT and Schannel use certificates for authentication. The client presents a certificate; the KDC or server validates the chain, checks revocation, and verifies the EKU. ADCS issues the certificates used in this flow — making PKI health directly tied to authentication security.
Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.
Service Updates Coming SoonGet PKI advisories, ADCS updates, and certificate security news in the weekly InsecurePlanet Security Brief.
Subscribe free