PKI Health Check Automation Tool > PKI Insights

Execute PKI health checks on Microsoft Enterprise CA giving up to date analytics, trends and alerts

Performs 250+ critical PKI health checks
Actively monitors your CA (24x7x365)
Get an in-depth analysis of your PKI
Detects PKI weaknesses and raises alerts
Get access to PKI health check reports any time, any device

What is PKI Health Check?

PKI health check involves performing investigating, analyzing, and reporting of PKI related issues.

PKI health check involves identifying key metrics of your PKI plus active monitoring of critical issues related to it. Most of these issues relate to the X.509 certificate issuance failures caused due to miss-configured CAs or when attackers issue fake certificates. Checking includes analyzing how many certificates are issued, revoked and expired at a particular point in time. Monitoring your PKI Health is based on checks like detection of:

Weak cryptographic keys
Weak signing algorithms
Issuance of long-lived X.509 certificates
PKI related anomalies
Issuance of non-standard certificate
Server status and lot more

Performing PKI Health Check for Microsoft CA (or ADCS) against vulnerabilities without using a health diagnostic tool is cumbersome, time consuming and costly calling the need for a specialist PKI monitoring product, which is what PKI Insights in essence is!

When was the last time you monitored your Microsoft Enterprise CA?

PKI Insights performs over 250+ PKI health checks making it the most advanced PKI Health monitoring & analytical tool available.

Alarming PKI Facts

PKI usage is increasing and so the need to monitor.

2021 – Global PKI & IOT Study

46% organizations lack PKI skills
71% organizations have no clear ownership in managing PKI
50% of digital Certificate issuance has risen since 2019

See Ref 1, Ref 2

2020 – Impact of Unsecured Digital Identities

73% of security professionals admit digital certificates still cause unplanned downtime and application outages

3 good reasons to choose PKI Insights for Microsoft CA health check.

1 - Comprehensive PKI Monitoring & Analytics

Fact: Managing Microsoft PKI can quickly get nasty.

A trustworthy PKI relies on the fact how Certification Authorities (CA) are managed to issue trusted, secure digital identities. For any enterprise finding weaknesses in their CA can be disastrous undermining all your PKI efforts. A CA might be creating digital certificates without your knowledge or issuing certificates using weak algorithms like SHA-1, RSA 1024 or ECC-160 bit algorithms. The worry quadruples with the issuance of thousands of digital certificates to IOT or end-users. This can lead to huge regulatory fines, system downtime or complete shutdown of your public PKI (like in the case of diginotar).

With its advanced monitoring engine, PKI Insights:

Investigates the issued certificate against 250+ standard PKI health checks
Show your trends of certificate issuance, revocation & expiry in your PKI
PKI administrator can easily search and find details about issued certificates
See failures of CA up/down time
Get daily summary reports of the true performance of your PKI.

PKI Insights gives your admin a true picture of whether to worry or relax.

PKI Insights - PKI Health Check - iPhone - Graphs

PKI Insights - PKI Health Check - iPhone-Dashboard

2 - Dashboard for Microsoft CA Health check

Discover hidden PKI problems in your Enterprise CA.

PKI Insights summarizes all the key aspects of your Microsoft PKI health in a clear, concise & colorful dashboard making health checking and decision making fast and enjoyable. Administrators can see the peak hours where digital certificates were issued the most, time during which failures occur in certificate issuance and the PKI health issues identified against them. There is no limit on the number of CAs to work with. You can now monitor multiple CAs in your entire PKI from just one secure user interface. No more need to login to the CA server to get just boring transactional data. Monitor your PKI health any time and any where using your PC, tablet or mobile and get actionable data.

PKI admins can now get a concise summary of their PKI Health status.

3 - Prompt Alarms for Proactive Troubleshooting

Your PKI is in trouble? Get notified fast.

PKI servers issues can be very hard to troubleshoot. It is quite difficult to know that your CA was down at the middle of off-peak hours and then went up. Similarly your OCSP server might be down for few minutes or access to CRL was interrupted. You might be on a vacation while your CA server is issuing weak keys, getting requests from rogue devices for certificate issuance or issuing long lived digital certificates. All of this is detected and notified to you right away without waiting for PKI auditors to come and raise concerns over your PKI.

Shortcomings in PKIView tool

Most of PKI admins use the Microsoft OS bundled PKIView utility to investigate about their PKI health which is not efficient nor provides detailed information. Some of its shortcomings are:

– Doesn’t give you information about your CA down time
– Doesn’t notify you with any alerts when an issue is found
– Doesn’t provide PKI health details about the issued end entity certificates
– Doesn’t provide information about weaknesses in crypto keys or algorithms
– Only shows the PKI state at the moment in time hence can’t get historical data

Without an automated PKI monitoring tool, your PKI Admin would require extracting all the issued digital certificates, failed calls information and then manually analyze the data against the known PKI vulnerabilities.

PKIView is just a handy tool for a basic PKI investigation but lack features to give you full insight over your PKI.

How PKI Insights works?

PKI Insights majorly consist of 3 core components:

PKI Insights Portal: Browser based access to data, graphs and reports
PKI Insights Engine: Performs complex PKI checks against the CA’s data
PKI Insights Storage: Database where all PKI data is kept for analysis

The overall processing logic is quite simple:

PKI Insights examines your PKI as a continuous polling process
It regularly polls the configured CAs and fetch raw, latest certificate data
The raw data is processed and stored as searchable, meaningful data
Finally PKI Health checks are performed on the stored data
PKI Admin can now open the portal and see live meaningful, graphical PKI trends

PKI Insights - How PKI Health check is performed

0 PKI Health Checks

0 Data Points

0 Proactive Analytics

PKI Insights simplifies your day!

Save Time

Getting actionable statistics from Microsoft CA is time consuming. Learn about your own PKI at a click of a button. Want more info? Click to drilled down and see detailed records on certificates, failed calls, PKI health, alerts, CA up time, reporting and more.

Save Effort

PKI Insights is specially developed to remove the pain points which comes during Microsoft Enterprise CA health monitoring. With proactive alerts, CA administrators can now spend more time in new projects rather probing existing CA deployments for problems.

Save Money

Save cost on fruitless continuous monitoring your PKI servers rather get reports via email when your PKI's health status changes. Get daily reports summarizing the activities of the. Also save deployment cost by managing all your PKI from a single portal.

7 Key Features of PKI Insights

360° View

Get 360° View

Learn more about your Microsoft CA as certificates are being issued with a 360 view of your PKI covering:

Get an overall health of your Microsoft PKI
Accessible data for all CAs from one dashboard
Stats on certificates, failures, templates, up time
Searchable portal to get filtered data
Detect anomalies in your CA
Get list of revoked entries

Analyze Trends

Get graphs on 10+ key points of your PKI including on:

PKI Up/Down time
Certificates issuance
Certificate Expiry
Certificate Revocation
Failed calls
Alerts
Certificate Templates
Public Key Length, Algorithm, Signing Algorithm
About to Expire Certificates in 7, 30 & 90 days

Alerts

Get instant email/SMS based alerts when Microsoft CA goes down or your CA is not working as it should. Detects any major changes as they occur e.g. OCSP Server, CRL not accessible or changes in your CA Health Rating.

250+ PKI Checks

Performs 250+ PKI Health Checks

Running Microsoft PKI is simple, detecting if it is issuing weak certificate or keys is hard. PKI Insight detects a range of issues covering in all of your Microsoft Certification Authorities:

Digital Signature Algorithms
Public Key Algorithm & Lengths e.g. RSA, ECDSA
Certificate expiry beyond acceptable limits
Failures coming while issuing certificates
Detects digital certificates deviance from RFC 5280

Reports

PKI Health Check Reports

Get daily summary reports on how your PKI is performing.

Get all time certificate analytics
See detailed list of health issues found in the PKI
Daily stats on certificates issued, failures & alerts
Reports sent at configurable time slots

Secure Access

PKI Insight portal is only accessible to trusted resources of your organization. Authentication is done over TLS Client authentication giving the most powerful, password less authentication. Supports all major browsers over PC, MAC and Devices. Provides unlimited user access.

Standard based

PKI Insights is compliant with:

RFC 5280
RFC 6560
CA/B Forum guidelines for SSL Certificates

Deployment

Supported PKI

All flavors of Windows CA Server (2008, 2012, 2016, 2019, 2022)

Languages

English - Other languages can be supported on demand

H/W Requirement

2 GB RAM, Core i5 2.4 GHz CPU, 500 MB Hard disk

PKI consultant vs PKI Insights?

Head to head comparison in dealing with manual vs automated way of checking your PKI's Health

Instant Results

(+) PKI Insights can investigate your PKI and raise issues in minutes.
(-) Manual investigations are not quick and require a lot of steps. Firstly you need your IT staff to give access of your PKI system to the consultant. The consultant would then export the certificate data in machine readable format. Once done the investigation of each issued certificate is performed and hence findings are recorded. These steps needs to be repeated for each CA in your PKI infrastructure.

Privacy

(+) Vulnerability leakage is the last thing you need after all the efforts made to identify issues in a PKI. With PKI Insights as all certificate data, alerts, reports stays inside your office.
(-) With a PKI consultant, you need to setup an NDA and still there are no guarantees that the vulnerabilities found will remain in house.

Quick Setup

(+) PKI Insights takes an hour to setup, configure and run.
(-) With a PKI consultant you would require scheduling meetings to explain the PKI infrastructure and provide access to the system before any exploration start. All of this may take a day or so.

27x7x365

(+) To achieve a steady state operations of a company, PKI must be checked all times. PKI Insights monitor all your PKI at all times.
(-) A PKI consultant only investigates when requested on a monthly/quarterly scheduled checkup giving more chances for your PKI issues going undetected for too long.

Value to Money

(+) PKI Insights offers a low cost, one time fixed price. Also with active support you will also get regular product updates and your chance to add certain features of your choice.

(-) A good PKI consultant would charge on an hourly/daily rate (e.g. average $100 to $250/hour) or a high fixed cost amount per analysis.

Focus

(+) PKI Insights primary focus is to find vulnerabilities in your current PKI and not on your PKI design and whether it serves your needs or not. Your PKI would already be meeting your needs.
(-) PKI consultants will normally focus on the PKI architecture and processes rather the current operations which are often ignored in a PKI project.

Simple Reporting

(+) PKI Insights presents data in easy to understand graphical format.
(-) A PKI consultant reports will be mostly verbose with no or few graphs. Such reports may first be reviewed internally before being issued and approved thus further delaying the time to fix PKI vulnerabilities.

Flexible

(+) Not every PKI is the same hence we are open to hear and implement any custom PKI rules you wish.
(-) A PKI consultant who would follow their own company’s strict PKI rules and would still raise issues which are less of a concern to your PKI.

Pricing & Maintenance

Pricing

PKI Insight is charged per CA
Get 10% discount for 2 or more CAs
Test & Staging PKI environments are charged at half price
Price inclusive of first 12 months of maintenance plan

Maintenance Plan

With active annual software maintenance plan you:

Keep your PKI Insights installation safe and secure with the latest security updates
Get free access to the newest features, enhancements, and bug fixes for PKI Insights
Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

When you buy a PKI Insights license, you automatically get free 12 months of maintenance.
Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported:

Extend for 24 months and save 10%
Extend for 36 months and save 15% best value

FAQ

Can I get false alarms?

Chances of that are pretty low as all checks are based on PKI standards. If you want certain alarms to be ignored, do let us know.

Where does PKI Insights store its data?

PKI Insights works in a non intrusive way. PKI Insights pulls certificates from the CA at regular intervals and makes a local copy of it. This is then synched at regular intervals as well. All statistics is then calculated on this database. We support PostgreSQL for storing certificate data. If your company uses some other DBMS let us know and we will support it.

What digital certificate processing speed should I expect?

PKI Insights is capable of processing 100+ certificate/second or around 0.3 million certificates per hour. Once initial processing is done, detailed investigation (250+ checks) is performed in parallel and as its time complex process hence could take few more hours to finish.

How many CAs can be investigated with a single deployment?

There is no limit on the the number of CAs to be investigated with a single deployment of PKI Insights.

Is it possible to implement custom rules for my PKI?

We are open to any specific checks to be implemented for your PKI. If you also want a specific report to be generated do let us know as well. Speak to us and we’ll implement it for no extra charge.

Can I configure PKI Insights to stop for a certain time slot?

PKI Insights is designed to work as a continuous PKI health check tool. All you could do is to reduce the polling period but you can’t stop it for a time interval.

Do you support languages other than English?

Yes, do let us know the language of your choice and we will set it up for you.

Can PKI Insights integrate with CA's other than Microsoft?

Sure, let us know which PKI you want us to integrate with.

My PKI is perfect but due to 'failed calls' it's health rating is at 'C', what can be done?

PKI Insights allow you to set rating parameters as well. This can done by setting the failed calls threshold value to a much higher value hence reducing its impact on overall PKI health.

What risks I have while using PKI Insights?

Note that PKI Insights only communicates with Microsoft CA using the standard communication channel. PKI Insights doesn’t integrate with your CA’s database directly. If you already have more than 1 million certificates in your system then we recommend you to run PKI Insights at off-peak hours to reduce the chances of us slowling your CA, although the chances are fairly minimal as we process certificates in batches of 100 (configurable). After that PKI Insights polls after 5 seconds (configurable) to fetch any new certificates. As PKI Insights doesn’t interrupt your CA directly and it also reads data hence the risk of PKI Insights impacting your CA performance is fairly minimal and close to none.

Can the alerts be pushed to central logging system?

Yes, for traceability, alerts can be pushed securely to your central logging systems e.g. Splunk, Grafana, Greylog, LogRhythm etc.

For a PKI health issue, how quickly will I get an alert?

You should get an alert email in less than a 30 seconds and in worst situation in a minute.

My PKI Insights database is getting huge, can this be reduced?

PK Insights statistical data depends upon the certificate and alerts data it is accumulated from the CA. Removing data would means older statistical information will not correctly represent your PKI data. For example if you want one year old data to be removed then graphs/ data listings will not show that information. Let us know how much older data is to be removed and we will guide you further.

Can multiple PKI administrators login and get reports & alerts?

Sure, you can configure any number of administrators to authenticate and access the PKI Insights portal plus get alerts and summary emails for all of them.

How is PKI Insights installed?

PKI Insights comes bundled with a simple to use installer program. The installer also auto-detects the CA on the network and lets you link it with PKI Insights. For configuring more than one CAs, you may setup the PKI Insights configuration file to add more CAs.

I am getting a PKI health rating of 'A' should I stop running PKI Insights?

As long as your are running your PKI for production and issuing digital certificates you must keep PKI Insights running to ensure these are analyzed to keep your PKI free from security issues.

We generate thousands of X.509 digital certificates/hour for IOT. Can we get health check reports every hour?

Yes, PKI Insight allows the time duration after which a summary report is created. You can hence set the interval in minutes even.

Wish to see PKI Insights?

You can have a test drive of PKI Insights with our test data and see the Dashboard, Reporting in action.

Get Started

Still not convinced?

All it takes few minutes to get PKI Insights to see in action!

Request for Demo

Quick PKI Analysis

Admins love PKI Insights because it gives clear, actionable & targeted data for quick analysis & decision making. Reduce your PKI frustrations today.

Monitors entire PKI Infrastructure

Root CAs, Sub CAs, Certificates, CRLs, OCSP - PKI Insights efficiently keeps an eye on your entire PKI.

Try PKI Insights for free

Want to see PKI Insight in action? Start now with your 30-day trial.