r/PKI

Hi guys,

Just deployed EJBCA CE 9.3.7 integrated with Entra ID. Access to the RA portal works fine for my users, but now I'm stuck on the enrollment UX.

When a user clicks "Request a certificate", I want zero friction. Since they are already authenticated via Entra ID (OAuth), I don't want them to type anything.

Is it possible to automatically grab their email from the OAuth token claims and:

1. Use it as the End Entity username?
2. Automatically inject it into the Subject DN as the CN (e.g., CN=user@domain.com)?

Right now, it still prompts for a username or manual inputs. Can this be fully automated via End Entity Profile / Claim mapping in the Community Edition, or is it a dead end?

Thanks for the help!

Interesting paper on a fairly under-discussed issue in DNS: what happens to expired or repurposed domain names that remain embedded in DNS dependencies across systems. The core finding is that these “orphaned” or changed domains can persist in resolution paths and integrations long after their original context is gone, creating real security and reliability implications.

My take: this becomes even more relevant in modern AI systems, where agents, tools, plugins, and third-party APIs are rapidly stitched together. In that environment, domain names and DNS-level dependencies can quietly extend the AI supply chain attack surface in ways that are easy to overlook.

Paper: https://arxiv.org/abs/2605.06880

I just published a blog on Microsoft’s post-quantum announcements for AD CS and Windows Server 2025 after watching the recent Windows Server 2025 Summit sessions.

One of the biggest takeaways for me was not even the algorithms themselves. It was the realization that post-quantum migration is probably going to expose just how much cryptographic technical debt many we are still carrying around.

Microsoft demonstrated support for ML-DSA-based Certificate Authorities, post-quantum signing scenarios, OCSP signing, and discussed upcoming support for composite certificates and ML-KEM. But one detail that really stood out was the confirmation that existing Certificate Authorities cannot simply be converted afterward. New CAs will eventually need to be deployed. This stops being a “future cryptography problem” and starts becoming a real PKI architecture discussion, imho.

The more I watched the session and followed the discussions afterward (Also on Reddit), the clearer it became that the hardest part of this transition may not be quantum computing itself. It may be the reality of legacy infrastructure, old CSP dependencies, outdated TLS implementations, unsupported appliances, vendor limitations, and years of operational complexity quietly buried inside enterprise environments.

My blog is less about “quantum panic” and more about what this realistically means for enterprise PKI environments, AD CS, internal trust, and long-term cryptographic planning.

Would genuinely love to hear some feedback on the matter.

https://michaelwaterman.nl/2026/05/15/windows-server-2025-and-post-quantum-pki/

I started another thread going down the path of using RSA and ECDSA ECC to handle a mixed environment.

https://www.reddit.com/r/PKI/comments/1t2r348/comment/olr2cgu/

However, now I see both RSA and ECDSA are on the path to deprecation in only 4 years.

Wouldn‘t it make more sense to use RSA and ML-KEM ML-DSA together instead?

If you need legacy compatibility, RSA has more compatibility than ECDSA, and if you want future-proofing ML-KEM/DSAC has a better future than ECDSA.

So, would you be better off not even getting involved with ECDSA at this point?

Hi Guys,

Please help a fellow pki newbie

Sooo, we currently have an on-prem Microsoft Tier 1 CA setup where a single server is acting as both Root CA and Issuing CA (yeah, not ideal, inherited setup).

We’re planning to migrate this CA infrastructure to AWS and I’m trying to understand the cleanest and safest approach from people who’ve already done similar migrations in production.

Current environment:

Windows ADCS

Single-tier CA (Root + Issuing on same server)

IIS is also hosting certificate-related applications/pages under Default Web Site

Existing certificates are actively being used internally and externally

We also have templates, CRL/AIA locations, and auto-enrollment in place

Some of the things I’m trying to figure out:

Is taking a normal CA backup enough? From what I understand, the CA backup only captures:

CA database

Private key

Registry configuration

But it won’t include IIS configuration/apps under Default Web Site. So for a proper migration, do I also need IIS backup/export ,App pool configs Website bindings,SSL bindings?

Please suggest