Thank you for subscribing. You now have access to the free InsecurePlanet PKI Toolbox resources for engineers, architects, and administrators.
Your free subscription unlocks all current free PKI Toolbox resources. Some advanced tools, premium templates, scripts, or consulting resources may require separate approval or premium access.
Sign up once for free access to all InsecurePlanet PKI Toolbox resources — checklists, worksheets, guides, and references for enterprise PKI professionals.
Get Free AccessHealth checks, CA configuration, template review, certutil references, and PowerShell assessment scripts
Use PKIView.msc to review Enterprise PKI health, validate CA certificate publication, check CDP and AIA availability, identify expired or unreachable CRLs, and troubleshoot common ADCS publication problems.
External links leave InsecurePlanet.com and open on their respective publisher sites.
Step-by-step checklist for reviewing your ADCS deployment — CA roles, configuration, hardening, and ESC exposure.
Structured worksheet for auditing certificate templates — EKU, enrollment rights, subject supply, and manager approval settings.
Practical certutil commands for certificate inspection, CRL validation, CA management, and troubleshooting — with examples.
Checklist for backing up Root and Issuing CAs — private keys, CA database, registry, and recovery validation steps.
Validation checklist for newly deployed Root and Issuing CAs — configuration, publication, and enrollment testing.
PowerShell script for automated ADCS environment assessment — CA configuration, template enumeration, and ESC exposure detection.
Chain validation, SAN/EKU review, TLS inspection, expiration checking, and format references
Guide to Extended Key Usage OIDs and Key Usage bits — what each means, dangerous combinations, and template hardening.
Checklist for validating certificate chains — trust anchors, intermediate CAs, revocation, and path length constraints.
How to inspect TLS certificates using openssl, certutil, and browser tools — SANs, EKUs, key usage, and validity periods.
Worksheet for tracking certificate expiration across enterprise environments — inventory, alerting, and renewal planning.
Reference for PEM, DER, PFX, CER, CRT, and P7B formats — conversion commands, use cases, and compatibility notes.
Revocation infrastructure validation, CDP/AIA URL testing, OCSP troubleshooting, and PKIView cleanup
Checklist for validating CRL publication, CDP URL accessibility, AIA URL accessibility, and revocation chain integrity.
Reference for common PKIView errors — red X, yellow warning, and missing CDP/AIA entries — with resolution steps.
Step-by-step OCSP troubleshooting — responder configuration, certificate status, network accessibility, and response validation.
How to test HTTP-based CRL and AIA publication endpoints — tools, commands, and common failure modes.
Checklist for publishing offline Root CA CRLs — scheduling, publication steps, validation, and monitoring.
ESC1–ESC8 risk review, enrollment permissions, exportable key detection, and template hardening
Checklist for reviewing certificate templates against ESC1 through ESC8 attack paths — with detection and remediation guidance.
Risk matrix for classifying certificate templates by attack surface — enrollment rights, EKU, subject supply, and key exportability.
Worksheet for reviewing auto-enrollment configuration — GPO settings, template permissions, and enrollment agent controls.
Security checklist for code signing certificate templates — key protection, EKU, enrollment rights, and timestamping requirements.
Guide for reviewing client authentication templates — enrollment permissions, SAN settings, and PKINIT compatibility.
Offline root CA planning, issuing CA deployment, migration readiness, and legacy CA retirement
Checklist for designing a two-tier PKI hierarchy — Root CA placement, Issuing CA configuration, and publication infrastructure.
Planning guide for offline Root CA deployment — hardware, OS hardening, key generation, and physical security requirements.
Step-by-step checklist for deploying an enterprise Issuing CA — installation, configuration, template publishing, and validation.
Readiness checklist for PKI migration projects — inventory, dependency mapping, cutover planning, and rollback procedures.
Checklist for safely retiring legacy CAs — certificate inventory, revocation, AD cleanup, and stakeholder communication.
Worksheet for building a certificate inventory — discovery methods, classification, ownership, and expiration tracking.
Validation checklist for PKI cutover events — enrollment testing, revocation validation, and application compatibility checks.
Decision framework for PKI architecture choices — CA hierarchy depth, HSM requirements, online vs. offline roots, and cloud PKI options.
Step-by-step playbook for responding to a CA compromise — containment, revocation, re-issuance, and stakeholder communication.
Defensive educational demo: how CA compromise risk develops through weak governance, template misconfiguration, and poor key protection — with detection and hardening guidance.
Advanced guide for three-tier PKI hierarchies with HSM-backed Root CAs — design, key ceremony, and operational procedures.
Cisco ISE, EAP-TLS validation, machine/user certificates, NPS/RADIUS, VPN, and smart card troubleshooting
Checklist for validating certificates used in Cisco ISE EAP-TLS deployments — CA trust, template settings, and revocation.
Guide for validating machine certificates — auto-enrollment, template settings, chain validation, and NPS compatibility.
Troubleshooting guide for VPN certificate issues — chain validation, revocation, EKU requirements, and common failure modes.
Checklist for reviewing smart card and PIV certificate deployments — template settings, PKINIT, and logon validation.
Worksheet for diagnosing identity certificate issues — enrollment failures, revocation errors, and authentication problems.
Code signing templates, timestamping, S/MIME planning, document signing, HSM-backed signing
Security checklist for code signing deployments — key protection, HSM requirements, timestamping, and certificate lifecycle.
Planning guide for enterprise S/MIME deployments — certificate templates, auto-enrollment, key archival, and client configuration.
Checklist for document signing certificate deployments — EKU requirements, key protection, and signing workflow validation.
Guide for selecting and validating timestamp authorities — RFC 3161 compliance, long-term validation, and TSA certificate requirements.
Readiness checklist for HSM-backed signing deployments — HSM selection, key ceremony, integration, and operational procedures.
Post-quantum readiness, crypto-agility planning, NIST standards tracking, and cryptographic inventory
Checklist for assessing post-quantum cryptography readiness — cryptographic inventory, algorithm exposure, and migration planning.
Four-phase migration roadmap for transitioning enterprise PKI to post-quantum algorithms — inventory, pilot, migration, and validation.
Worksheet for planning crypto-agility — algorithm dependencies, system inventory, migration priority, and timeline planning.
Template for building a cryptographic inventory — algorithms in use, key lengths, certificate lifetimes, and system dependencies.
Guide for planning hybrid certificate deployments — combining classical and post-quantum algorithms for transition-period security.
Quick reference for NIST post-quantum standards — ML-KEM, ML-DSA, SLH-DSA, FN-DSA, and HQC — with algorithm selection guidance.
Risk assessment framework for evaluating HNDL exposure — data classification, encryption inventory, and prioritization guidance.
The InsecurePlanet PKI Toolbox is provided for educational and defensive cybersecurity purposes. Always validate tools, scripts, commands, and guidance in a lab or test environment before using them in production. Follow your organization's change control, security, and compliance processes.