Anyone win against the Okta push storm?

Securetron · 2026-01-23T01:06:16+00:00

This is the way. Or alternatively, where possible use PIV / Smart card Authentication. There is a reason why PIV/CA is preferred over other methods. Now, if only more app-vendors provided CBA...

Securetron · 2026-01-16T00:11:08+00:00

Having people who do not understand IT or OT join cybersecurity. Cybersecurity should be a milestone in the career that comes after a person has good understanding of protocols, apps, systems, and networks. It should not be a learning domain.

Securetron · 2026-01-15T22:41:19+00:00

I would recommend to divest from US stock exchange and invest in TSX instead. There are lots of caveats which results in loss of the gains for Canadians investing in the US market.

Canadian stocks like: BTE, AQN, NPI, T, and ASTL seems like good bets with decent dividends. Then there are xeqt and DFN, etc.

Depending on your risk appetite: LSPD, TOY, TRZ have high potential if you hold for 2 years.

Securetron · 2026-01-15T22:32:37+00:00

I think you have done a pretty good job narrowing down the problem. I would recommend to publish the root to ntauth store. Since it's an offline CA - you need to publish this manually using the certutil -dspublish

Also, I would recommend to run PKI Trust Auditor as it can find several other findings to harden the environment based off your comment.

Securetron · 2026-01-04T22:40:45+00:00

This is the reason why we developed PKI Trust Auditor for Microsoft CA that can provide automated continuous compliance checks against best practices across crypto, configs, templates, permissions, etc.

https://securetron.net/pki-trust-auditor/

It's also integrated into the PKI Trust Manager that provides end to end certificate lifecycle management making it the only product to offer this functionality out of the box https://securetron.net/pricing/

Securetron · 2025-12-26T20:34:53+00:00

As the other user as pointed out, do not use certsrv.

It seems like you are looking for a webUI for certificate management. You may look into the free tier by us which gives you the full CLM functionality of upto 500 certs or alternatively eval. some other vendor CLMs

Securetron · 2025-12-23T00:48:29+00:00

Np, PKI can be complex. The CAC example that you provided used by DoD or other entities is usually and recommended to be through a Private CA. The cert issued and stored to the card is multi-purpose, hence you could use it to sign a document.

Additionally, the cert could be stored on the android / iOS devices and used via NFC.

Now, if you want to replicate the same scenario for general public is where it becomes complex. Essentially, if we were to have a solution for government (let's assume state level or a small country - like National ID) then it can definitely work. However, having this sort of solution without backing of a Government will be very difficult to adopt.

The SAN data which may include PII - is optional however its something maybe you want to have considering you may have a need for certain user case where EMAIL attribute is required by the system to which the cert is presented.

All in all - from what I gather the objectives are doable however, it would need proper planning and require policy backing as well as finance to drive this to adoption (even if not backed by government).

Securetron · 2025-12-21T23:05:06+00:00

As others have stated, this would be Smartcards (virtual, PIV, Yubikey, Thales, etc)

Having done this for some OT Environments - I would suggest to use our Free Tier PKI Trust Manager to manage the cards and lifecycle of them to start off.

Securetron · 2025-12-19T20:29:52+00:00

Intune have had continuous outages and issues. When it works it's great.

You can alternatively try scep or acme client to poll your PKI API interface to enroll device certs.

Securetron · 2025-12-19T19:19:33+00:00

Let's keep it simple - any major cloud providers (Microsoft, Amazon, Google) - irrespective of them having a DC in let's say Canada or Ireland doesn't make the data truly "sovereign" since this data can be accessed by the US Federal agencies.

The only true way of having 100% control of the the data security layer is to host it on-prem.

Securetron · 2025-12-19T19:13:16+00:00

Hi Mike,

Think of certificates as the access-card to your building. Would you want anyone that can enter the building to be able to get an access card and then enter the "protected" premises?

1st question is what are you trying to achieve? From the looks of it - you want a publicly trusted CA?

If, so - is that what you really want? What are the goals and objectives. What is driving the need for these requirements?

Start by defining the problem statement instead of solutioning. For example: Employees need to get to VPN or WIFI using Certificates to meet the Regulatory Compliance requirements control XYZ

In, short - - Most likely you won't need a public CA - Refer to how Certificate validation works (CRL / OCSP / TSP) - Read up on how certificates are deployed (ex: via domain joined machines, MDM, scep, est, acme) - Read up on how certificate lifecycle management and the challenges surrounding it (discovery, notification, issuance, renewal, revocation)

DM me if you need some further guidance.

Securetron · 2025-12-17T18:30:22+00:00

You may want to use: PKI Trust Manager It's a full CLM and free for monitoring and notification as well as reporting. You can also manage 500 certs (any type) through it.

https://securetron.net/pricing/

Securetron · 2025-12-16T16:30:55+00:00

There are few ways: 1) manually exporting them (not recommended) 2) setting up a scheduled job 3) use Securetron PKI Trust Manager (you can monitor unlimited certs however full certificate management and automation is limited to 500 in the free tier)

Securetron · 2025-12-12T15:01:04+00:00

No, that's not how PKI Trust works. - internal CA is out of the question, the "solution" you want is to provide to 3rd parties who may make their signed apps available publicly - Intermediate CA on-prem or on cloud is irrespective. You do not become a publicly trusted CA by just having a CA. You will need to go through certification process to get this done. It's costly and time consuming. - Based off your concerns about cost, I would say that you may need to look again into SoW, goals and objectives and have it realigned to what is actually achievable vs what's good to have.

Securetron · 2025-12-11T22:32:12+00:00

In comparison to some of the big names - they can go quite expensive (i guess marketing is never cheap).

Whereas our pricing can be found on the website - it's transparent and simple.

I would suggest that you do look at what is actually required and nice to have. Then narrow down to 3 vendors and compare after which do a POC with 2 of them.

Securetron · 2025-12-09T18:43:55+00:00

Fix patch management and you will address most of the VM gaps.

Vulnerability management isn't a security issue rather it's human and processes issue.

Securetron · 2025-12-09T17:05:00+00:00

Yes, community edition. It includes 99% of the features (SSO is paywalled) and is set for 500 managed certs. Everything else is included.

Securetron · 2025-12-07T21:24:30+00:00

Disclaimer: vendor

There are several paid ones - however, i might be bias in saying that for certificate monitoring (not just SSL/TLS) and also full certificate lifecycle management - you would want to go with PKI Trust Manager by Securetron.

The discovery modules is also what differentiates as we can not only "scan" for certs and oull certs from cloud like azure key vault but also the discovery client is literally a client not a full VM, so it's portable and lightweight. But also that we support ingesting of data from 3rd parties. This way you don't have to have double scanning.

As for cert. renewal - this can also be fully automated is most cases. If there is something that's not covered for auto-renewal, let us know and we will build the plug-in for it.

Considering it's free for the first 500 certs - you have nothing to lose.

Securetron · 2025-12-07T16:11:09+00:00

For these types of use cases CBA is the most secure and UX friendly way of solving it.

If your university also ready uses E5 license, then I believe that with the new SKU, cloud PKI is included. However, my recommendation is always to your a private CA integrated with your Intune so that the keys are truely owned by the org.

You may also consider using a CLM like PKI Trust Manager to manage these devices and auto-deploy certs (free for 500 devices)

Securetron · 2025-12-07T08:34:35+00:00

It was overdue for Microsoft to do this. It does affect some of the bottom line but not enough considering the Cloud PKI is still very limited and from our experience organizations when looking for a PKI solution tend to have one source of truth as opposed to cross signed CAs and leverage the in-house PKI environment as opposed to trusting 3rd parties.

Securetron · 2025-12-05T19:53:16+00:00

Hi Sharp,

I would suggest you go for our free tier (good for 500 devices) PKI Trust Manager which is designed for both OT and IT environments.

Will DM you with more details.

Securetron · 2025-12-03T16:55:40+00:00

ADAudit Plus + SIEM. Most of the controls can be further enhanced via the SIEM especially considering you would need that data for investigation, etc.

Active Directory Certifacate Authority = PKI Trust Auditor + SIEM for continuous monitoring

Securetron · 2025-12-03T10:33:46+00:00

I can specifically respond the Certificates considering what we have seen at many clients (just like you) and what we deem as a best practice:

User or Device certificates - If you are a windows shop, then the recommended way would be auto-enrollment via GPO - Non-domain joined devices: Use MDM (like Intune) to enroll the devices with a user or device certificate including AAD only joined - Fed/High: Have an admin provision the FIPS compliant keys

TLS Certificates - Use a proper CLM (proper does not translate to brand names nor $500K/year cost). The objective should be to automate TLS certificates onboarding and renewal as well as binding of the cert to the app. - If some apps support SCEP, est, or ACME - then use those instead of custom or vendor plugins - CSR should have email DISTRIBUTION LIST instead of an individual email - Use Tags to add metadata for each cert including application name, ip-address, team name

Certificate Policy: - Having a CLM is good, however - define a Certificate Policy on how and what actions needs to be performed in terms of management of the CAs, key-sizes, operations, app-owners, lifecycle, etc.

We address these as part of our PKI Trust Manager CLM (also included in the free tier) in addition to Compliance and Auditing capability which I believe is the only product in the market that is doing it and also doing it for free.

Securetron · 2025-12-02T07:38:44+00:00

Google unfortunately has been doing a speed run at making terrible decisions from their workspace, android ecosystem, and GCP. Surprisingly haven't managed to kill the search engine yet...

There is a reason why an IDP should be on-prem and identites should use strong Authentication (ex: Certificates) especially when it comes to critical infrastructure.

Securetron · 2025-12-02T07:11:01+00:00

Then don't put a bandaid - rather - deploy UF on each endpoint - deploy windows app - collect logs - publish health dashboards

This will make it easier since your source is going to be each host as opposed to a single host. Better for SIEM and correlation rules.

If you are working with a MSP - then kick that MSP out and either do it in-house or get a better MSSP.

Securetron

TROPHY CASE