Enterprise PKI

Public Key Infrastructure (PKI) is an infrastructure service used to manage the issuance and lifecycle of digital certificates. Its use case in the modern enterprise is to provide strong, phishing-resistant authentication without using passwords. Microsoft Active Directory Certificate Services (AD CS) is a commonly deployed enterprise PKI solution.


Enterprise PKI solutions are often deployed improperly. It is common to find PKI services running on domain controllers or collocated with other workloads, which is not recommended. Also, many enterprise PKI solutions have only a single certification authority (CA). Both deployment options present serious security challenges and impose serious operational limitations.

Tiered PKI

A tiered model is the recommended way to deploy an enterprise PKI. At a minimum, a two-tier model should be employed with a single offline root CA with at least two online issuing CAs for redundancy.


Servers hosting Certificate Revocation Lists (CRLs) should be configured to use the HTTP protocol for the highest level of interoperability. CRL servers should also be made highly available. Online Certificate Service Protocol (OCSP) servers can also be deployed when certificate revocation is frequent.

Cloud PKI

Microsoft Intune Cloud PKI can be used to issue and manage user and device authentication certificates for Intune-managed endpoints. Cloud PKI eliminates the need for on-premises PKI infrastructure.


Richard M. Hicks Consulting, Inc. provides the following enterprise PKI consulting services.

  • New PKI deployment
  • Upgrade CA servers
  • Migration of existing PKI services
  • PKI configuration review and assessment
  • Microsoft Intune Cloud PKI deployment
  • Intune certificate issuance and management

Let Us Help!

All services can be performed on-site or remotely. Enter your contact information in the form below for more details.