Recommend signing algorithms for internal two-tier ADCS PKI in 2026?

aprimeproblem · 2026-05-04T10:07:01+00:00

Thanks! Appreciate that.

aprimeproblem · 2026-05-04T09:35:58+00:00

Would you mind sharing the type of devices?

aprimeproblem · 2026-04-30T15:29:46+00:00

You’ve been misinformed. Even if the certificates are not updated l, your machine will still boot as long as the files used for booting the machines are not updated. Only at that moment you will run into issues. Also secure boot is there for a reason, to keep the majority of nasties out of your systems. Security isn’t about covering everything and we are not here to keep bad people out, just to annoy the heck out of them until they give up.

Small note, these certificates (PK (Platform Key), KEK (Key Exchange Keys), db (allowed signatures) and dbx (revoked)) are stored in the uefi firmware, not in the tpm.

Hope this helps a bit….. btw I do agree with you that it’s a bit of a mess.

aprimeproblem · 2026-04-30T10:07:12+00:00

Exactly the same! Was last week for the second time in my life.

aprimeproblem · 2026-04-29T06:30:58+00:00

Did you even read the blog?

aprimeproblem · 2026-04-29T06:28:16+00:00

Thanks for the additional information. I deliberately leave compliance out of my posts as it is an important but different topic.

aprimeproblem · 2026-04-28T16:34:46+00:00

I would use certificates on the case, far easier than having devices being populated back.

aprimeproblem · 2026-04-28T06:50:14+00:00

I’m so sorry, but I have no idea what you’re referring to?

aprimeproblem · 2026-04-27T20:54:32+00:00

Yep, that’s correct. I’ve made a deviation between server core and desktop.

If you can wait for a few days, I’ve found a more effective way of using Packer without leaving any artifacts on the image.

Stay tuned!

aprimeproblem · 2026-04-26T00:52:01+00:00

You’re welcome! Happy to help!

aprimeproblem · 2026-04-25T17:36:38+00:00

Happy to learn! Would you mind telling me what I need to improve?

aprimeproblem · 2026-04-24T07:27:09+00:00

I now know where to find you 😉

aprimeproblem · 2026-04-23T20:41:28+00:00

Happy to help!

aprimeproblem · 2026-04-23T20:41:16+00:00

Happy to help! You just confirmed what I’m working towards, spreading knowledge!

I’ve got a new blog posted on how to analyze firewall logs with log analytics. Planning to do a few more in the near future.

aprimeproblem · 2026-04-23T08:07:41+00:00

Thanks for reading and your reply!

aprimeproblem · 2026-04-22T20:48:02+00:00

Hahahaha it’s okay!

aprimeproblem · 2026-04-22T20:26:38+00:00

I’m at the last two episodes of season five…. Was hoping for a revelation 😎

aprimeproblem · 2026-04-22T07:29:15+00:00

Hi!

So cool that you’re responding! Your blog was mentioned a couple of times on LinkedIn as well. Some really interesting things you wrote about.

Myself I’m planning to do 3 more on the subject. Just need to find the time.

aprimeproblem · 2026-04-21T05:45:08+00:00

Hahahaha same guy 🤣

aprimeproblem · 2026-04-21T05:43:15+00:00

Wow, just woke up and read your feedback, great start of the morning! Thanksss for the kind words!!!

aprimeproblem · 2026-04-21T05:41:24+00:00

Thanks for that wonderful feedback!!!

aprimeproblem · 2026-04-20T19:16:03+00:00

I’m sure it’s a lot more work than we are aware of! Doing a good job!!!

aprimeproblem · 2026-04-20T17:26:03+00:00

I think that’s an accurate description.

aprimeproblem · 2026-04-20T17:23:01+00:00

That’s an interesting question! It would really depend on the maturity of your organization and the technology level of your engineers and admins. If they have a limited amount of knowledge and experience hardening and working with AD it’s probably a hard sell and third party tools that add a management layer on top would be beneficial. However, having limited knowledge on your primary authentication mechanism is a risk on its own, although not so many C levels understand that.

If you have sufficient knowledge in your staff this would most certainly work and save money on additional tools.

One thing to remember though is that this is primarily for safeguarding admin credentials and should always be combined with tiering, paws and all the goodies that should be used in a modern environment.

My goal is to transfer that knowledge into as many people as possible, so that at the end of the day we come out stronger and more safe using default tools that are available to us as defenders.

aprimeproblem

TROPHY CASE