I'm trying to get some community input on managing certificates effectively these days. We currently handle around 1,000 endpoints, all managed through Intune, using Clearpass NAC with EAP-TLS for authentication, and NDES for SCEP certificates. Our PKI setup has a couple of domain-joined servers: one issuer and one NDES. However, our Active Directory is primarily just syncing users to Azure AD and managing our server infrastructure, which consists of about 60 servers.
To be honest, we're not great at managing our AD Certificate Services (ADCS). Our templates are messy, permissions are improperly applied across many templates, and we've had issues with elevated access during pentests due to certificate exploitation. Even though we fix the vulnerabilities, there are just too many problems. Currently, we use a self-signed root certificate that signs the Issuing CA, and since the root cert expires in 2028, I want us to be proactive about this.
Here are my questions:
1. Should we opt for a root certificate signed by a trusted authority? This could mean more renewals but would eliminate the need to manually install it on every endpoint.
2. Is it worth completely abandoning ADCS? We intend to keep our AD domain, so I'm worried about how difficult it might be to unwind ADCS.
3. Given that we mainly use certificates for endpoint authentication via EAP-TLS, is transitioning to a Cloud PKI a smart move? I find it tough to justify the costs, especially since our current setup costs around $150/month, whereas Cloud PKI services may be upwards of $2,500/month.
4. Are there any modern solutions that could better meet our needs for secure network authentication while minimizing infrastructure complexity and keeping costs manageable?
I'm eager to hear how others are handling endpoint certificates in 2025!
1 Answer
Scepman costs around $600/month for 1,000 users. Just keep in mind that with 1,000 endpoints, that doesn’t necessarily equal 1,000 users. Generally, cloud PKI solutions charge based on the number of users, and if some users enroll multiple devices, you might only pay for those users.
If you can get the costs down to something reasonable, I’d personally recommend switching to a cloud PKI solution. The security benefits alone can make it worth it. Alternatively, you might want to consider setting up a new ADCS environment that’s properly configured according to hardening guides, then retire the outdated one with its numerous issues.
We license about 900 E5 users, and our company has downsized recently. I think I can convince my boss that transitioning to Scepman for SCEP certs would lessen the management burden of the NDES server. Your input really helps! I’m also leaning towards rebuilding the ADCS to get it back on track, but honestly, I felt overwhelmed when I set up the NDES server. Since the previous admin left last year, the system has just run without a hitch, so we kind of left it alone.