PKI Spotlight - Great product for ADCS

I very, very rarely promote a product, but any company running Microsoft’s Active Directory Certificate Services (ADCS) should get PKI Spotlight!

I don’t do anything operational anymore, but when I did most recently for 20 years, it was around Public Key Infrastructure (PKI) implementations. I not only supported Microsoft’s internal PKI implementations but deployed or consulted on over a hundred (maybe hundreds) of Microsoft customer PKI’s. I taught Microsoft PKI consultants PKI. I wrote about PKI, including deployment guides and SHA-2 migration documents. I bleed PKI and digital certificates.

And, boy I would have killed to have had PKI Solution Inc.’s PKI Spotlight tool (pkispotlight.com). I think everyone running Microsoft Active Directory Certificate Services (ADCS) server, whether one or dozens, should get this tool. It’s what Microsoft should have created 20 years ago if they cared about their customers. It’s PKIView.msc on steroids with a pretty face and so much more!

Long-time Microsoft PKI consultant, Mark Cooper, left Microsoft years ago to make his own PKI consulting company, PKI Solutions Inc.. I put Mark as one of the top two PKI consultants in the world (in the same echelon as industry laureate, Brian Komar). Since day one, Mark has been trying to make PKI easier for everyone. For much of that time he did as a consultant, but there’s only so much of Mark to go around.

Today, Mark is releasing his brand-new product, PKI Spotlight (GUI shown below).

PKI Spotlight is a real-time tool for operational resiliency. It measures all sorts of outputs and metrics of monitored ADCS servers and HSMs (and soon to be an expanded list of PKI products including cloud CAs), proactively alerting support staff to any notable events. Most PKI software is around device and user certificate management…which is great. But this is the first product that is intended to manage PKI servers and HSMs and do it in an intelligent way. It’s focus is Operational Resilience, Security Posture Management, Threat Detection and Best Practices.

Here's what PKI Solutions says are PKI Spotlight’s core capabilities:

·        Real-time PKI event configuration and roles aggregation engine.

·        Unified dashboards with event, config, and PKI roles exploration.

·        Customized alerting and notifications for critical PKI functions, events, activity, and configurations changes.

·        Email-based integration into Incident Management and Service Management solutions

·        Config Explorer for fine grained visibility into PKI configurations such as CA permissions, revocation, Active Directory, cryptography, and policy modules.

·        Time-based event filtering, exploration. Filter events by source, role, time, and severity with built-in search for message and event ID.

·        View of all PKI Roles, such as Certification authority, Web Enrollment site, CRL Distribution Point, Authority Information Access (AIA), OCSP Responder, NDES and CES/CEP servers.

Here’s an example of some of the proactive operational alerts it can send.

I can’t tell you how many companies are using broken and soon to be broken PKIs. They almost never realize what’s broken until it’s too late and critical operation outages are occurring. Most of the time the errors and warnings were there but no one was looking, and nothing was notifying proactively anyone about impending PKI disaster.

Companies who have already been through a PKI disaster and suffered downtime usually end up writing their own custom scripts which attempt to query and monitor their PKI services. That’s all well and good, but unless you are both a PKI expert, like Mark, and happen to be a great script writer who understands PKI, you’re going to miss something important. Mark and PKI Spotlight doesn’t.

Mark has not paid or promised me anything to write this article. I just love Mark, his company, and his new product, PKI Spotlight. It’s providing a much-needed missing part of the PKI industry. I think any organization running ADCS should get it ASAP!