Enterprise PKI

Public Key Infrastructure (PKI) is an infrastructure service used to manage the issuance and lifecycle of digital certificates. Its use case in the modern enterprise is to provide strong authentication without using passwords. Microsoft Active Directory Certificate Services (AD CS) is a commonly deployed enterprise PKI solution.


Enterprise PKI solutions are often deployed improperly. It is common to find PKI services running on domain controllers or collocated with other workloads, which is not recommended. Also, many enterprise PKI solutions have only a single certification authority (CA). Both deployment options present serious security challenges and impose serious operational limitations.

Tiered PKI

A tiered model is the recommended way to deploy an enterprise PKI. At a minimum, a two-tier model should be employed with a single offline root CA with at least two online issuing CAs for redundancy.


Servers hosting Certificate Revocation Lists (CRLs) should be configured to use the HTTP protocol for the highest level of interoperability. CRL servers should also be made highly available. Online Certificate Service Protocol (OCSP) servers can also be deployed when certificate revocation is frequent.


Richard M. Hicks Consulting, Inc. provides the following enterprise PKI consulting services.

  • New PKI deployment
  • Upgrade CA servers
  • Migration of existing PKI services
  • PKI configuration review and assessment

Let Us Help!

All services can be performed on-site or remotely. Enter your contact information in the form below for more details.

%d bloggers like this: