Practical tools, scripts, references, and checklists for managing, troubleshooting, and securing enterprise PKI environments.
The InsecurePlanet PKI Toolbox is designed for professionals who build, operate, audit, troubleshoot, and modernize enterprise public key infrastructure. Use these resources to review Microsoft ADCS environments, validate certificate chains, troubleshoot revocation, plan migrations, review templates, and improve certificate lifecycle operations.
Free subscription required
Sign up once to unlock all free InsecurePlanet PKI Toolbox resources — checklists, worksheets, guides, and future tools.
Health checks, CA configuration, template review, certutil references, and PowerShell assessment scripts
Use PKIView.msc to review Enterprise PKI health, validate CA certificate publication, check CDP and AIA availability, identify expired or unreachable CRLs, and troubleshoot common ADCS publication problems.
External links leave InsecurePlanet.com and open on their respective publisher sites.
Step-by-step checklist for reviewing your ADCS deployment — CA roles, configuration, hardening, and ESC exposure.
Structured worksheet for auditing certificate templates — EKU, enrollment rights, subject supply, and manager approval settings.
Practical certutil commands for certificate inspection, CRL validation, CA management, and troubleshooting — with examples.
Checklist for backing up Root and Issuing CAs — private keys, CA database, registry, and recovery validation steps.
Validation checklist for newly deployed Root and Issuing CAs — configuration, publication, and enrollment testing.
PowerShell script for automated ADCS environment assessment — CA configuration, template enumeration, and ESC exposure detection.
Chain validation, SAN/EKU review, TLS inspection, expiration checking, and format references
Guide to Extended Key Usage OIDs and Key Usage bits — what each means, dangerous combinations, and template hardening.
Checklist for validating certificate chains — trust anchors, intermediate CAs, revocation, and path length constraints.
How to inspect TLS certificates using openssl, certutil, and browser tools — SANs, EKUs, key usage, and validity periods.
Worksheet for tracking certificate expiration across enterprise environments — inventory, alerting, and renewal planning.
Reference for PEM, DER, PFX, CER, CRT, and P7B formats — conversion commands, use cases, and compatibility notes.
Revocation infrastructure validation, CDP/AIA URL testing, OCSP troubleshooting, and PKIView cleanup
Checklist for validating CRL publication, CDP URL accessibility, AIA URL accessibility, and revocation chain integrity.
Reference for common PKIView errors — red X, yellow warning, and missing CDP/AIA entries — with resolution steps.
Step-by-step OCSP troubleshooting — responder configuration, certificate status, network accessibility, and response validation.
How to test HTTP-based CRL and AIA publication endpoints — tools, commands, and common failure modes.
Checklist for publishing offline Root CA CRLs — scheduling, publication steps, validation, and monitoring.
ESC1–ESC8 risk review, enrollment permissions, exportable key detection, and template hardening
Checklist for reviewing certificate templates against ESC1 through ESC8 attack paths — with detection and remediation guidance.
Risk matrix for classifying certificate templates by attack surface — enrollment rights, EKU, subject supply, and key exportability.
Worksheet for reviewing auto-enrollment configuration — GPO settings, template permissions, and enrollment agent controls.
Security checklist for code signing certificate templates — key protection, EKU, enrollment rights, and timestamping requirements.
Guide for reviewing client authentication templates — enrollment permissions, SAN settings, and PKINIT compatibility.
Offline root CA planning, issuing CA deployment, migration readiness, and legacy CA retirement
Checklist for designing a two-tier PKI hierarchy — Root CA placement, Issuing CA configuration, and publication infrastructure.
Planning guide for offline Root CA deployment — hardware, OS hardening, key generation, and physical security requirements.
Step-by-step checklist for deploying an enterprise Issuing CA — installation, configuration, template publishing, and validation.
Readiness checklist for PKI migration projects — inventory, dependency mapping, cutover planning, and rollback procedures.
Checklist for safely retiring legacy CAs — certificate inventory, revocation, AD cleanup, and stakeholder communication.
Worksheet for building a certificate inventory — discovery methods, classification, ownership, and expiration tracking.
Validation checklist for PKI cutover events — enrollment testing, revocation validation, and application compatibility checks.
Decision framework for PKI architecture choices — CA hierarchy depth, HSM requirements, online vs. offline roots, and cloud PKI options.
Step-by-step playbook for responding to a CA compromise — containment, revocation, re-issuance, and stakeholder communication.
Defensive educational demo: how CA compromise risk develops through weak governance, template misconfiguration, and poor key protection — with detection and hardening guidance.
Advanced guide for three-tier PKI hierarchies with HSM-backed Root CAs — design, key ceremony, and operational procedures.
Cisco ISE, EAP-TLS validation, machine/user certificates, NPS/RADIUS, VPN, and smart card troubleshooting
Checklist for validating certificates used in Cisco ISE EAP-TLS deployments — CA trust, template settings, and revocation.
Guide for validating machine certificates — auto-enrollment, template settings, chain validation, and NPS compatibility.
Troubleshooting guide for VPN certificate issues — chain validation, revocation, EKU requirements, and common failure modes.
Checklist for reviewing smart card and PIV certificate deployments — template settings, PKINIT, and logon validation.
Worksheet for diagnosing identity certificate issues — enrollment failures, revocation errors, and authentication problems.
Code signing templates, timestamping, S/MIME planning, document signing, HSM-backed signing
Security checklist for code signing deployments — key protection, HSM requirements, timestamping, and certificate lifecycle.
Planning guide for enterprise S/MIME deployments — certificate templates, auto-enrollment, key archival, and client configuration.
Checklist for document signing certificate deployments — EKU requirements, key protection, and signing workflow validation.
Guide for selecting and validating timestamp authorities — RFC 3161 compliance, long-term validation, and TSA certificate requirements.
Readiness checklist for HSM-backed signing deployments — HSM selection, key ceremony, integration, and operational procedures.
Post-quantum readiness, crypto-agility planning, NIST standards tracking, and cryptographic inventory
Checklist for assessing post-quantum cryptography readiness — cryptographic inventory, algorithm exposure, and migration planning.
Worksheet for planning crypto-agility — algorithm dependencies, system inventory, migration priority, and timeline planning.
Template for building a cryptographic inventory — algorithms in use, key lengths, certificate lifetimes, and system dependencies.
Guide for planning hybrid certificate deployments — combining classical and post-quantum algorithms for transition-period security.
Four-phase migration roadmap for transitioning enterprise PKI to post-quantum algorithms — inventory, pilot, migration, and validation.
Quick reference for NIST post-quantum standards — ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC — with algorithm selection guidance.
Risk assessment framework for evaluating HNDL exposure — data classification, encryption inventory, and prioritization guidance.
Curated links to official documentation, research, and trusted public tools — links open on external sites
InsecurePlanet-created checklists, worksheets, and runbooks for enterprise PKI operations
Comprehensive ESC1–ESC13 assessment checklist with CA hardening and enrollment endpoint review.
Readiness assessment for PKI migration projects — inventory, dependencies, cutover, and rollback.
Structured worksheet for auditing all certificate templates against ESC attack paths.
Validation checklist for revocation infrastructure — CRL publication, CDP/AIA URLs, and OCSP.
Post-quantum cryptography readiness assessment — algorithm inventory, exposure, and migration planning.
Four-phase roadmap for transitioning enterprise PKI to post-quantum algorithms — inventory through validation.
Worksheet for building a full enterprise certificate inventory with expiration tracking.
Complete toolkit combining ADCS health check, template review, and revocation validation checklists.
Step-by-step runbook for building and commissioning an offline Root CA from scratch.
Step-by-step runbook for deploying an enterprise Issuing CA — installation through production validation.
Runbook for configuring HTTP-based CRL and AIA publication — IIS setup, URL testing, and monitoring.
Step-by-step playbook for CA compromise response — containment, revocation, re-issuance, and communication.
The InsecurePlanet PKI Toolbox is provided for educational and defensive cybersecurity purposes. Always validate tools, scripts, commands, and guidance in a lab or test environment before using them in production. Follow your organization's change control, security, and compliance processes.