Is it time to rethink
your Microsoft PKI?

Microsoft PKI – also known as Active Directory Certificate Services (ADCS) – has been a reliable
tool for you over the years, but times have changed. It's time to say goodbye to Microsoft PKI.

The 2000s called,
they want their PKI back

Active Directory Certificate Services (ADCS) was first introduced in
2000. Since then, it’s been an easy choice for teams to manage
public key infrastructure (PKI). However, as companies evolved,
ADCS simply hasn’t kept up. For many organizations, it’s become
more of an operational headache than a benefit.

pki 2000s

53 %

Say they don’t have enough staff
to deploy and maintain their PKI

58 %

Say reducing the complexity of
PKI infrastructure is their #1


The average number of PKI
and CA tools in use across

7 reasons why you should

Say goodbye
to Microsoft PKI


Cloud migration

It’s no secret – hybrid and multi-cloud are the new norm. 76% of organizations have or plan to adopt a multi-cloud strategy within the next 12 months. Where does ADCS fit into all of this? That’s the problem, it doesn’t. To support cloud-native services like Intune, Azure Key Vault, and Entra ID (Azure AD), you need a new approach.


New use cases

In today's iT environment, SCEP and Autoenrollment only get you so far. The move to hybrid work, multi-cloud, and DevOps creates a new set of challenges that demand more extensibility, including modern protocols like ACME, EST, CMP, and REST, and pre-built integrations with popular tools.


Growing complexity

Without an adequate solution, each team chooses different tools to meet their use case, creating a complex web of PKI that’s impossible to manage. In fact, the average organization now uses more than 9 different PKI and CA tools, creating inefficiency, inconsistency, and infrastructure complexity.


PKI where you need it

Cloud and infrastructure teams need to move fast, run anywhere, and automate as much as possible. That means you need the flexibility to deploy on-prem or in the cloud, as a container or virtual machine, and spin up new CAs and certificates within minutes, not days.


Security risks

Insecure ADCS deployments were listed in the NSAs Top Ten Cybersecurity Misconfigurations. Modern PKI solutions built on open standards, well-documented guidance, and trusted open-source frameworks help you avoid security risks that arise from misconfiguration or frequent software vulnerabilities.


Skills shortages

You need more resources just to keep your PKI running, but it’s a rare skillset, and even if you have it, bandwidth is slim. PKI has come a long way since 2000, offering new turnkey and SaaS-based delivery models that provide the same level of security, without the effort and expense of running it on-premise.


Evolving ecosystem

ADCS hasn't seen any major updates since 2012. By shifting to a PKI solution that is continuously developed and supported with new features, you’ll be ready to meet new requirements head on – things like containerization, new industry standards, and even quantum-safe certificates.

Microsoft’s response

Microsoft also recognizes the problems with its legacy approach, but the
proposed alternative is far from a replacement for ADCS. Built only for
Intune, Microsoft Cloud PKI really doesn’t solve a whole lot.
Conversely, it adds to the problem of costly and inefficient PKI silos. It’s
time for a new approach.


The modern alternative
to Microsoft PKI

Switch to EJBCA and experience PKI that deploys fast, runs wherever you do, and goes
beyond Microsoft to support all of your modern applications and use cases.

One PKI, your way

Meet your organization’s specific security and operational requirements. EJBCA can run as an appliance, a container, a virtual machine, in the cloud, on-premises, SaaS-delivered, or even as a 24/7 managed PKI.

One PKI, anywhere

Don’t get locked in or locked out. EJBCA is platform- and cloud-agnostic, giving you the flexibility to build and adapt your PKI as your business evolves, whether it’s in one cloud or multiple clouds and regions.

One PKI, any use case

Meet any use case head on with a PKI that supports virtually any certificate type, multiple algorithms, and modern protocols like ACME, EST, CMP, REST API, as well as SCEP and autoenrollment.

One PKI, at your speed

Keep up with new business initiatives by automating traditionally manual PKI processes, such as CA installation and configuration, so you can spend less time maintaining and more time enabling.

One PKI, at your scale

Start with a small instance or go all-in with an XL – EJBCA is built for any size. Reduce operational complexity by deploying multiple CAs on a single installation or cluster nodes for high availability and scale.

One PKI, built secure

EJBCA is Common Criteria certified and continuously tested and developed to ensure robust security, helping you meet even the most stringent policy and compliance requirements.

EJBCA vs Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

Keyfactor EJBCA

Microsoft PKI

*This is a biased overview of capabilities by use case based on publicly available information and customer interviews as of 2023-09-18

Ready to modernize
your PKI?

Migration can be daunting – we understand. That’s
why Keyfactor provides multiple paths to modernize
your PKI, whether it’s a complete replacement, slow
migration over time, or even running in tandem with
your existing PKI to support modern use cases.