My biggest takeaways from Microsoft’s Post-Quantum AD CS announcements...
I just published a blog on Microsoft’s post-quantum announcements for AD CS and Windows Server 2025 after watching the recent Windows Server 2025 Summit sessions.
One of the biggest takeaways for me was not even the algorithms themselves. It was the realization that post-quantum migration is probably going to expose just how much cryptographic technical debt many we are still carrying around.
Microsoft demonstrated support for ML-DSA-based Certificate Authorities, post-quantum signing scenarios, OCSP signing, and discussed upcoming support for composite certificates and ML-KEM. But one detail that really stood out was the confirmation that existing Certificate Authorities cannot simply be converted afterward. New CAs will eventually need to be deployed. This stops being a “future cryptography problem” and starts becoming a real PKI architecture discussion, imho.
The more I watched the session and followed the discussions afterward (Also on Reddit), the clearer it became that the hardest part of this transition may not be quantum computing itself. It may be the reality of legacy infrastructure, old CSP dependencies, outdated TLS implementations, unsupported appliances, vendor limitations, and years of operational complexity quietly buried inside enterprise environments.
My blog is less about “quantum panic” and more about what this realistically means for enterprise PKI environments, AD CS, internal trust, and long-term cryptographic planning.
Would genuinely love to hear some feedback on the matter.
https://michaelwaterman.nl/2026/05/15/windows-server-2025-and-post-quantum-pki/