Microsoft CA Health Checks Made Simple!

Performing PKI Health Check for Microsoft CA (or ADCS) against vulnerabilities without using a health diagnostic tool is cumbersome, time consuming and costly. PKI Insights is a specialist PKI monitoring product which performs regular, automatic Microsoft CA’s health checks. This involves providing key metrics of your PKI plus active monitoring of critical issues such as:

  • Weak cryptographic keys
  • Weak signing algorithms
  • Issuance of long-lived X.509 certificates
  • PKI related anomalies
  • Issuance of non-standard certificate
  • Server status and lot more

Alarming PKI Facts

2021 – Global PKI & IOT Study

  • 46% organizations lack PKI skills
  • 71% organizations have no clear ownership in managing PKI
  • 50% of digital Certificate issuance has risen since 2019

2020 – Impact of Unsecured Digital Identities

  • 73% of security professionals admit digital certificates still cause unplanned downtime and application outages

Why choose PKI Insights?

Comprehensive PKI Monitoring & Analytics

For any enterprise finding weakness in their PKI can be disastrous. This can lead to huge regulatory fines, system downtime or complete shutdown of your public PKI (like diginotar). PKI Insights investigates your PKI against 250+ standard PKI health checks keeping your PKI health in check.

Discover hidden PKI problems

Get clear, concise, and interactive dashboard to check your PKI health. Track peak issuance hours, failure trends, and critical PKI issues effortlessly. Manage your entire PKI from single pane of glass anytime, anywhere.

Proactive Troubleshooting

PKI issues could be like CA/OCSP is down, CRL not accessible, issuance of weak keys or getting cert requests from rogue devices. All of this is notified to you right away without waiting for PKI auditors to raise concerns.

PKI Health Check Reports

Get daily summary reports on how your PKI is performing covering certificate analytics, health issues & alerts.

How PKI Insights works?

PKI Insights consist of 3 core components:

  • PKI Insights Portal: Browser based access to data, graphs and reports
  • PKI Insights Engine: Performs complex PKI checks against the CA’s data
  • PKI Insights Storage: Database where all PKI data is kept for analysis

The overall processing logic is quite simple:

  • PKI Insights examines your PKI as a continuous polling process
  • It regularly polls the configured CAs and fetch raw, latest certificate data
  • The raw data is processed and stored as searchable, meaningful data
  • Finally PKI Health checks are performed on the stored data
  • PKI Admin can now open the portal and see live meaningful, graphical PKI trends

5 Key Features

Features you get from PKI Insights

  • Get 360° View

    Learn more about your Microsoft CA as certificates are being issued with a 360 view of your PKI covering:

    Get an overall health of your Microsoft PKI
    Accessible data for all CAs from one dashboard
    Stats on certificates, failures, templates, up time
    Searchable portal to get filtered data
    Detect anomalies in your CA
    Get list of revoked entries

  • Analyze Trends

    Get graphs on 10+ key points of your PKI including on:

    PKI Up/Down time
    Certificates issuance
    Certificate Expiry
    Certificate Revocation
    Failed calls
    Alerts
    Certificate Templates
    Public Key Length, Algorithm, Signing Algorithm
    About to Expire Certificates in 7, 30 & 90 days

  • Performs 250+ PKI Health Checks

    Running Microsoft PKI is simple, detecting if it is issuing weak certificate or keys is hard. PKI Insight detects a range of issues covering in all of your Microsoft Certification Authorities:

    Digital Signature Algorithms
    Public Key Algorithm & Lengths e.g. RSA, ECDSA
    Certificate expiry beyond acceptable limits
    Failures coming while issuing certificates
    Detects digital certificates deviance from RFC 5280

  • Standard based

    PKI Insights is compliant with:

    RFC 5280
    RFC 6560
    CA/B Forum guidelines for SSL Certificates

  • Secure Access

    PKI Insight portal is only accessible to trusted resources of your organization. Authentication is done over TLS Client authentication giving the most powerful, password less authentication. Supports all major browsers over PC, MAC and Devices. Provides unlimited user access.

Deployment

  • Supported OS

    All flavors of Windows CA Server (2008, 2012, 2016, 2019, 2022)

  • Languages

    English – Other languages can be supported on demand

  • Minimum H/W Requirement

    8 GB RAM, 2 vCPU (2.3 GHz), 10 GB disk space

Words from Client

Leading companies rely on us for their PKI and digital signature needs

Using PKI Insights from Codegic has significantly improved our visibility into ADCS operations, helping us detect and respond to Microsoft CA issues with greater speed and confidence. Beyond the intuitive dashboards and actionable alerts, what truly stands out is the excellent quality of the product, the professionalism of the team, and their consistently responsive support. These qualities have made Codegic a trusted long-term IT partner for our organization.

Michel Rendine, Ingénieur systeme, CHEM.

Pricing

  • PKI Insights is charged per bundle
  • Each bundle allows you to deploy 2 instance of PKI Insights
  • To add more servers in your existing pool; Add more bundles OR Buy a single server instance at 50% of the bundle price
  • Test environments or Staging environments are charged 20% of the price

Maintenance Plan

With active annual software maintenance plan:

  • Keep your installation safe and secure with the latest security updates
  • Get free access to the newest features, enhancements, and bug fixes
  • Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported

  • Extend for 24 months and save 10%
  • Extend for 36 months and save 15% best value

FAQ

Can I get false alarms?

Chances of that are pretty low as all checks are based on PKI standards. If you want certain alarms to be ignored, do let us know.

Where does PKI Insights store its data?

PKI Insights works in a non intrusive way. PKI Insights pulls certificates from the CA at regular intervals and makes a local copy of it. This is then synched at regular intervals as well. All statistics is then calculated on this database. We support PostgreSQL for storing certificate data. If your company uses some other DBMS let us know and we will support it.

What digital certificate processing speed should I expect?

PKI Insights is capable of processing 100+ certificate/second or around 0.3 million certificates per hour. Once initial processing is done, detailed investigation (250+ checks) is performed in parallel and as its time complex process hence could take few more hours to finish.

How many CAs can be investigated with a single deployment?

There is no limit on the the number of CAs to be investigated with a single deployment of PKI Insights.

Is it possible to implement custom rules for my PKI?

We are open to any specific checks to be implemented for your PKI. If you also want a specific report to be generated do let us know as well. Speak to us and we’ll implement it for no extra charge.

Can I configure PKI Insights to stop for a certain time slot?

PKI Insights is designed to work as a continuous PKI health check tool. All you could do is to reduce the polling period but you can’t stop it for a time interval.

Do you support languages other than English?

Yes, do let us know the language of your choice and we will set it up for you.

Can PKI Insights integrate with CA's other than Microsoft?

Sure, let us know which PKI you want us to integrate with.

My PKI is perfect but due to 'failed calls' it's health rating is at 'C', what can be done?

PKI Insights allow you to set rating parameters as well. This can done by setting the failed calls threshold value to a much higher value hence reducing its impact on overall PKI health.

What risks I have while using PKI Insights?

Note that PKI Insights only communicates with Microsoft CA using the standard communication channel. PKI Insights doesn’t integrate with your CA’s database directly. If you already have more than 1 million certificates in your system then we recommend you to run PKI Insights at off-peak hours to reduce the chances of us slowling your CA, although the chances are fairly minimal as we process certificates in batches of 100 (configurable). After that PKI Insights polls after 5 seconds (configurable) to fetch any new certificates. As PKI Insights doesn’t interrupt your CA directly and it also reads data hence the risk of PKI Insights impacting your CA performance is fairly minimal and close to none.

Can the alerts be pushed to central logging system?

Yes, for traceability, alerts can be pushed securely to your central logging systems e.g. Splunk, Grafana, Greylog, LogRhythm etc.

For a PKI health issue, how quickly will I get an alert?

You should get an alert email in less than a 30 seconds and in worst situation in a minute.

My PKI Insights database is getting huge, can this be reduced?

PK Insights statistical data depends upon the certificate and alerts data it is accumulated from the CA. Removing data would means older statistical information will not correctly represent your PKI data. For example if you want one year old data to be removed then graphs/ data listings will not show that information. Let us know how much older data is to be removed and we will guide you further.

Can multiple PKI administrators login and get reports & alerts?

Sure, you can configure any number of administrators to authenticate and access the PKI Insights portal plus get alerts and summary emails for all of them.

How is PKI Insights installed?

PKI Insights comes bundled with a simple to use installer program. The installer also auto-detects the CA on the network and lets you link it with PKI Insights. For configuring more than one CAs, you may setup the PKI Insights configuration file to add more CAs.

I am getting a PKI health rating of 'A' should I stop running PKI Insights?

As long as your are running your PKI for production and issuing digital certificates you must keep PKI Insights running to ensure these are analyzed to keep your PKI free from security issues.

We generate thousands of X.509 digital certificates/hour for IOT. Can we get health check reports every hour?

Yes, PKI Insight allows the time duration after which a summary report is created. You can hence set the interval in minutes even.