r/PKI

Hi Guys,

Please help a fellow pki newbie

Sooo, we currently have an on-prem Microsoft Tier 1 CA setup where a single server is acting as both Root CA and Issuing CA (yeah, not ideal, inherited setup).

We’re planning to migrate this CA infrastructure to AWS and I’m trying to understand the cleanest and safest approach from people who’ve already done similar migrations in production.

Current environment:

Windows ADCS

Single-tier CA (Root + Issuing on same server)

IIS is also hosting certificate-related applications/pages under Default Web Site

Existing certificates are actively being used internally and externally

We also have templates, CRL/AIA locations, and auto-enrollment in place

Some of the things I’m trying to figure out:

Is taking a normal CA backup enough? From what I understand, the CA backup only captures:

CA database

Private key

Registry configuration

But it won’t include IIS configuration/apps under Default Web Site. So for a proper migration, do I also need IIS backup/export ,App pool configs Website bindings,SSL bindings?

Please suggest

Whats recommended for the offline root, issuing intermediate CAs, and end entities that maximizes security without breaking legacy device and app compatibility?

I have seen EDCSA recommended over RSA, but won’t that break functionality in any environment that needs to maintain legacy compatibility?

The CA/Browser Forum's Ballot SC-081 is already in effect. 200-day max as of March 2026, 100 days in March 2027, 47 days in March 2029.

The math on renewal workload scales linearly: 50 certificates managed manually goes from ~50 renewals a year at 398 days to ~400 at 47 days. Same cert count, 8x the operations work.

Wrote up the canonical schedule and what it does to teams still running manual processes: https://www.certkit.io/blog/shrinking-certificate-lifetimes

Hey guys,

We have just duplicated the default Webserver cert template and added the CA manager approval required tick on the certificate template so the admins can request for the certificates with managers' approval.

Certificate request is going through fine but when user tries to retrieve the certificate, they are getting this error

Active Directory Certificate Services could not process request 2876 due to an error: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). Additional information: Error verifying access
Event ID : 22 under the Application log.

On the cert template permissions look like this,
Authenticated users : read and enroll
Domain computers : read and enroll

Upon looking at the security event logs,

1. when the cert requests come through , the requestor is the computer account. as they are requesting the cert via certlm.msc console > Personal > request the cert
2. after the CA manger approved the request, and when a user tries to request for the certificate, the requestor shows as their logged in user account on that computer they are requesting the certificate from.

Quick Fix that worked : [ is this the standard? ]

1. I added their user account to Read & Request certificate on the CA Properties > Security tab, which allowed them to retrieve the certificate.

any guess, what am I missing here?
or
any configuration need to be altered?
and
what is the standard best practice when it comes to web server certificate that has SAN to be supplied in the request?

Thanks alot.