PKI Toolbox

PKI Toolbox for Engineers, Architects, and Administrators

Practical tools, scripts, references, and checklists for managing, troubleshooting, and securing enterprise PKI environments.

The InsecurePlanet PKI Toolbox is designed for professionals who build, operate, audit, troubleshoot, and modernize enterprise public key infrastructure. Use these resources to review Microsoft ADCS environments, validate certificate chains, troubleshoot revocation, plan migrations, review templates, and improve certificate lifecycle operations.

Free subscription required

Sign up once to unlock all free InsecurePlanet PKI Toolbox resources — checklists, worksheets, guides, and future tools.

Get Free Access
Category 1

Microsoft ADCS Tools

Health checks, CA configuration, template review, certutil references, and PowerShell assessment scripts

Free · External Reference

PKIView Troubleshooting Guide

For: PKI admins, IT operationsFormat: External Reference
Available

Use PKIView.msc to review Enterprise PKI health, validate CA certificate publication, check CDP and AIA availability, identify expired or unreachable CRLs, and troubleshoot common ADCS publication problems.

Common Use Cases
  • PKIView red or yellow status indicators
  • CDP Location unable to download
  • AIA Location unable to download
  • Expired CRL warnings
  • Broken HTTP CRL publication
  • Old CA references after CA migration
  • Offline root CRL publication validation
  • PKIView cleanup after CA migration
Trusted References
Microsoft — Quick Check on ADCS Health Using Enterprise PKI Tool / PKIView
Microsoft — Configure CDP and AIA Extensions
Microsoft — Copy CA Certificate and CRL to Virtual Directory
sysadmins.lv — Designing CDP and AIA Locations

External links leave InsecurePlanet.com and open on their respective publisher sites.

Unlock Free AccessFree subscription required to access reference links
Available

ADCS Health Check Checklist

Step-by-step checklist for reviewing your ADCS deployment — CA roles, configuration, hardening, and ESC exposure.

For: Security engineers, PKI adminsFormat: PDF / Markdown
Available

Certificate Template Security Review Worksheet

Structured worksheet for auditing certificate templates — EKU, enrollment rights, subject supply, and manager approval settings.

For: PKI architects, security teamsFormat: PDF / XLSX
Available

certutil Command Reference for PKI Admins

Practical certutil commands for certificate inspection, CRL validation, CA management, and troubleshooting — with examples.

For: PKI admins, security engineersFormat: Reference
Coming Soon

ADCS CA Backup and Recovery Checklist

Checklist for backing up Root and Issuing CAs — private keys, CA database, registry, and recovery validation steps.

For: PKI admins, IT operationsFormat: PDF / Markdown
Coming Soon
Coming Soon

Enterprise Root and Issuing CA Validation Checklist

Validation checklist for newly deployed Root and Issuing CAs — configuration, publication, and enrollment testing.

For: PKI architects, IT operationsFormat: PDF
Coming Soon
Restricted

ADCS PowerShell Assessment Script

PowerShell script for automated ADCS environment assessment — CA configuration, template enumeration, and ESC exposure detection.

For: Security engineers, red teamsFormat: PS1 Script
Category 2

Certificate Validation Tools

Chain validation, SAN/EKU review, TLS inspection, expiration checking, and format references

Available

EKU and Key Usage Review Guide

Guide to Extended Key Usage OIDs and Key Usage bits — what each means, dangerous combinations, and template hardening.

For: PKI architects, security teamsFormat: Guide
Coming Soon

Certificate Chain Validation Checklist

Checklist for validating certificate chains — trust anchors, intermediate CAs, revocation, and path length constraints.

For: Security engineers, PKI adminsFormat: PDF / Markdown
Coming Soon
Coming Soon

TLS Certificate Inspection Guide

How to inspect TLS certificates using openssl, certutil, and browser tools — SANs, EKUs, key usage, and validity periods.

For: Security engineers, web adminsFormat: Guide
Coming Soon
Coming Soon

Certificate Expiration Review Worksheet

Worksheet for tracking certificate expiration across enterprise environments — inventory, alerting, and renewal planning.

For: PKI admins, IT operationsFormat: XLSX
Coming Soon
Coming Soon

Certificate Format Reference Guide

Reference for PEM, DER, PFX, CER, CRT, and P7B formats — conversion commands, use cases, and compatibility notes.

For: All PKI practitionersFormat: Reference
Coming Soon
Category 3

CRL, OCSP, CDP, and AIA Tools

Revocation infrastructure validation, CDP/AIA URL testing, OCSP troubleshooting, and PKIView cleanup

Available

CRL/CDP/AIA Validation Checklist

Checklist for validating CRL publication, CDP URL accessibility, AIA URL accessibility, and revocation chain integrity.

For: PKI admins, security engineersFormat: PDF / Markdown
Available

PKIView Error Resolution Reference

Reference for common PKIView errors — red X, yellow warning, and missing CDP/AIA entries — with resolution steps.

For: PKI admins, IT operationsFormat: Reference
Coming Soon

OCSP Troubleshooting Checklist

Step-by-step OCSP troubleshooting — responder configuration, certificate status, network accessibility, and response validation.

For: PKI admins, IT operationsFormat: PDF
Coming Soon
Coming Soon

HTTP PKI Publication Test Guide

How to test HTTP-based CRL and AIA publication endpoints — tools, commands, and common failure modes.

For: PKI admins, IT operationsFormat: Guide
Coming Soon
Coming Soon

Offline Root CRL Publication Checklist

Checklist for publishing offline Root CA CRLs — scheduling, publication steps, validation, and monitoring.

For: PKI adminsFormat: PDF / Markdown
Coming Soon
Category 4

Certificate Template Security Tools

ESC1–ESC8 risk review, enrollment permissions, exportable key detection, and template hardening

Available

ESC1–ESC8 Review Checklist

Checklist for reviewing certificate templates against ESC1 through ESC8 attack paths — with detection and remediation guidance.

For: Security engineers, PKI architectsFormat: PDF / Markdown
Available

Certificate Template Risk Matrix

Risk matrix for classifying certificate templates by attack surface — enrollment rights, EKU, subject supply, and key exportability.

For: Security teams, PKI architectsFormat: XLSX
Available

Auto-Enrollment Security Review Worksheet

Worksheet for reviewing auto-enrollment configuration — GPO settings, template permissions, and enrollment agent controls.

For: PKI admins, security teamsFormat: PDF / XLSX
Coming Soon

Code Signing Template Security Checklist

Security checklist for code signing certificate templates — key protection, EKU, enrollment rights, and timestamping requirements.

For: PKI architects, security teamsFormat: PDF
Coming Soon
Coming Soon

Client Authentication Template Review Guide

Guide for reviewing client authentication templates — enrollment permissions, SAN settings, and PKINIT compatibility.

For: PKI architects, security engineersFormat: Guide
Coming Soon
Category 5

PKI Architecture and Migration Tools

Offline root CA planning, issuing CA deployment, migration readiness, and legacy CA retirement

Available

Two-Tier PKI Design Checklist

Checklist for designing a two-tier PKI hierarchy — Root CA placement, Issuing CA configuration, and publication infrastructure.

For: PKI architects, IT leadershipFormat: PDF / Markdown
Available

Offline Root CA Planning Guide

Planning guide for offline Root CA deployment — hardware, OS hardening, key generation, and physical security requirements.

For: PKI architects, IT operationsFormat: Guide
Available

Issuing CA Deployment Checklist

Step-by-step checklist for deploying an enterprise Issuing CA — installation, configuration, template publishing, and validation.

For: PKI admins, IT operationsFormat: PDF / Markdown
Available

PKI Migration Readiness Checklist

Readiness checklist for PKI migration projects — inventory, dependency mapping, cutover planning, and rollback procedures.

For: PKI architects, project managersFormat: PDF / XLSX
Available

Legacy CA Retirement Checklist

Checklist for safely retiring legacy CAs — certificate inventory, revocation, AD cleanup, and stakeholder communication.

For: PKI admins, IT operationsFormat: PDF
Available

Certificate Inventory Worksheet

Worksheet for building a certificate inventory — discovery methods, classification, ownership, and expiration tracking.

For: PKI admins, security teamsFormat: XLSX
Available

PKI Cutover Validation Checklist

Validation checklist for PKI cutover events — enrollment testing, revocation validation, and application compatibility checks.

For: PKI admins, IT operationsFormat: PDF
Available

PKI Architecture Decision Guide

Decision framework for PKI architecture choices — CA hierarchy depth, HSM requirements, online vs. offline roots, and cloud PKI options.

For: PKI architects, IT leadershipFormat: Guide
Available

CA Compromise Response Playbook

Step-by-step playbook for responding to a CA compromise — containment, revocation, re-issuance, and stakeholder communication.

For: Security teams, PKI architectsFormat: PDF / Markdown
Available

How a CA Can Be Compromised — Interactive Demo

Defensive educational demo: how CA compromise risk develops through weak governance, template misconfiguration, and poor key protection — with detection and hardening guidance.

For: PKI engineers, security architectsFormat: Interactive
Restricted

Three-Tier PKI Design and HSM Integration Guide

Advanced guide for three-tier PKI hierarchies with HSM-backed Root CAs — design, key ceremony, and operational procedures.

For: PKI architects, security teamsFormat: Guide
Category 6

EAP-TLS, Wi-Fi, VPN, and Identity Tools

Cisco ISE, EAP-TLS validation, machine/user certificates, NPS/RADIUS, VPN, and smart card troubleshooting

Coming Soon

Cisco ISE EAP-TLS Certificate Checklist

Checklist for validating certificates used in Cisco ISE EAP-TLS deployments — CA trust, template settings, and revocation.

For: Network engineers, PKI adminsFormat: PDF / Markdown
Coming Soon
Coming Soon

Machine Certificate Validation Guide

Guide for validating machine certificates — auto-enrollment, template settings, chain validation, and NPS compatibility.

For: PKI admins, network engineersFormat: Guide
Coming Soon
Coming Soon

VPN Certificate Troubleshooting Guide

Troubleshooting guide for VPN certificate issues — chain validation, revocation, EKU requirements, and common failure modes.

For: Network engineers, PKI adminsFormat: Guide
Coming Soon
Coming Soon

Smart Card / PIV Certificate Review Checklist

Checklist for reviewing smart card and PIV certificate deployments — template settings, PKINIT, and logon validation.

For: PKI architects, security teamsFormat: PDF
Coming Soon
Coming Soon

Identity Certificate Troubleshooting Worksheet

Worksheet for diagnosing identity certificate issues — enrollment failures, revocation errors, and authentication problems.

For: PKI admins, help deskFormat: PDF / XLSX
Coming Soon
Category 7

Code Signing, S/MIME, and Document Signing Tools

Code signing templates, timestamping, S/MIME planning, document signing, HSM-backed signing

Coming Soon

Code Signing Security Checklist

Security checklist for code signing deployments — key protection, HSM requirements, timestamping, and certificate lifecycle.

For: Security engineers, developersFormat: PDF / Markdown
Coming Soon
Coming Soon

S/MIME Certificate Planning Guide

Planning guide for enterprise S/MIME deployments — certificate templates, auto-enrollment, key archival, and client configuration.

For: PKI architects, messaging adminsFormat: Guide
Coming Soon
Coming Soon

Document Signing Certificate Checklist

Checklist for document signing certificate deployments — EKU requirements, key protection, and signing workflow validation.

For: PKI architects, compliance teamsFormat: PDF
Coming Soon
Coming Soon

Timestamp Authority Review Guide

Guide for selecting and validating timestamp authorities — RFC 3161 compliance, long-term validation, and TSA certificate requirements.

For: Security engineers, developersFormat: Guide
Coming Soon
Restricted

HSM-Backed Signing Readiness Checklist

Readiness checklist for HSM-backed signing deployments — HSM selection, key ceremony, integration, and operational procedures.

For: PKI architects, security teamsFormat: PDF
Category 8

PQC and Crypto-Agility Tools

Post-quantum readiness, crypto-agility planning, NIST standards tracking, and cryptographic inventory

Available

PQC Readiness Checklist

Checklist for assessing post-quantum cryptography readiness — cryptographic inventory, algorithm exposure, and migration planning.

For: Security architects, IT leadershipFormat: PDF / Markdown
Available

Crypto-Agility Planning Worksheet

Worksheet for planning crypto-agility — algorithm dependencies, system inventory, migration priority, and timeline planning.

For: Security architects, PKI teamsFormat: XLSX
Available

Cryptographic Inventory Template

Template for building a cryptographic inventory — algorithms in use, key lengths, certificate lifetimes, and system dependencies.

For: Security teams, complianceFormat: XLSX
Available

Hybrid Certificate Planning Guide

Guide for planning hybrid certificate deployments — combining classical and post-quantum algorithms for transition-period security.

For: PKI architects, security engineersFormat: Guide
Available

Post-Quantum PKI Migration Roadmap

Four-phase migration roadmap for transitioning enterprise PKI to post-quantum algorithms — inventory, pilot, migration, and validation.

For: IT leadership, PKI architectsFormat: PDF
Available

NIST PQC Standards Quick Reference

Quick reference for NIST post-quantum standards — ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC — with algorithm selection guidance.

For: Security architects, PKI engineersFormat: Reference
Available

Harvest-Now-Decrypt-Later Risk Assessment

Risk assessment framework for evaluating HNDL exposure — data classification, encryption inventory, and prioritization guidance.

For: Security architects, CISO teamsFormat: PDF / XLSX
Category 9

External Trusted Resources

Curated links to official documentation, research, and trusted public tools — links open on external sites

Category 10

Downloadable Resources

InsecurePlanet-created checklists, worksheets, and runbooks for enterprise PKI operations

Available

ADCS Health Check Checklist

Comprehensive ESC1–ESC13 assessment checklist with CA hardening and enrollment endpoint review.

For: Security engineers, PKI adminsFormat: PDF + Markdown
Available

PKI Migration Readiness Checklist

Readiness assessment for PKI migration projects — inventory, dependencies, cutover, and rollback.

For: PKI architects, project managersFormat: PDF + XLSX
Available

Certificate Template Security Review Worksheet

Structured worksheet for auditing all certificate templates against ESC attack paths.

For: PKI architects, security teamsFormat: PDF + XLSX
Available

CRL/CDP/AIA Validation Checklist

Validation checklist for revocation infrastructure — CRL publication, CDP/AIA URLs, and OCSP.

For: PKI admins, IT operationsFormat: PDF + Markdown
Available

PQC Readiness Checklist

Post-quantum cryptography readiness assessment — algorithm inventory, exposure, and migration planning.

For: Security architects, IT leadershipFormat: PDF + Markdown
Available

Post-Quantum PKI Migration Roadmap

Four-phase roadmap for transitioning enterprise PKI to post-quantum algorithms — inventory through validation.

For: IT leadership, PKI architectsFormat: PDF
Available

Certificate Inventory Worksheet

Worksheet for building a full enterprise certificate inventory with expiration tracking.

For: PKI admins, security teamsFormat: XLSX
Coming Soon

Enterprise PKI Assessment Toolkit

Complete toolkit combining ADCS health check, template review, and revocation validation checklists.

For: Security engineers, PKI architectsFormat: ZIP (PDF + XLSX + Markdown)
Coming Soon
Available

Offline Root CA Build Runbook

Step-by-step runbook for building and commissioning an offline Root CA from scratch.

For: PKI architects, IT operationsFormat: PDF + DOCX
Coming Soon

Issuing CA Build Runbook

Step-by-step runbook for deploying an enterprise Issuing CA — installation through production validation.

For: PKI admins, IT operationsFormat: PDF + DOCX
Coming Soon
Coming Soon

PKI Web Publication Runbook

Runbook for configuring HTTP-based CRL and AIA publication — IIS setup, URL testing, and monitoring.

For: PKI admins, IT operationsFormat: PDF + DOCX
Coming Soon
Available

CA Compromise Response Playbook

Step-by-step playbook for CA compromise response — containment, revocation, re-issuance, and communication.

For: Security teams, PKI architectsFormat: PDF + Markdown
Disclaimer

The InsecurePlanet PKI Toolbox is provided for educational and defensive cybersecurity purposes. Always validate tools, scripts, commands, and guidance in a lab or test environment before using them in production. Follow your organization's change control, security, and compliance processes.