Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →
Case Study

9 Issuing CAs. Expiring Root. A Global Retailer's PKI Assessed, Consolidated, and Rebuilt

How Encryption Consulting assessed a global retailer’s aging PKI, migrated from ADCS 2008 to 2016 R2, consolidated 9 Issuing CAs to 4, deployed HSMs with Key Ceremony procedures, and enabled support for MDM, VPN, and IoT certificate requirements.
9 Issuing CAs. Expiring Root. A Global Retailer’s PKI Assessed, Consolidated, and Rebuilt 

Customer Profile

A global retail organization with physical and online stores selling clothing, electronics, groceries, and home essentials. Employs thousands worldwide with a focus on sustainable practices and customer trust.

Industry

Retail, Global E-Commerce & Physical Stores

Engagement Type

PKI Assessment & Deployment (Infrastructure Modernization)

At a Glance Outcome

9 → 4

Issuing CAs consolidated, reducing infrastructure and maintenance costs

ADCS 2016 R2

New PKI service replacing end-of-support ADCS 2008

FIPS Level 3

HSM deployed for Root CA and ICA key storage

MDM·VPN·IoT

New certificate requirements enabled across the organization

The Enterprise

Challenges

The organization's PKI had grown without structured planning, running on an end-of-support platform with an expiring Root CA, no governance documentation, insufficient skilled resources, and keys stored outside secure hardware.

No certificate tracking or planning

Lost track of issued certificates, expiry dates, and locations. No PKI operations planning, leading to failed audits and misuse risks.
01 PLANNING

Expiring Root CA on ADCS 2008

Root CA on end-of-support ADCS 2008 with an expiring certificate. No regular CPS audits conducted, putting certificate chain trust at risk.
02 ROOT CA

Insufficient skilled PKI resources

Lacked dedicated PKI personnel to manage infrastructure, respond to outages, or handle security incidents. In-house PKI was underresourced.
03 Resources
The PKI had grown with the business but without a plan. An expiring Root CA on end-of-support infrastructure, 9 uncoordinated Issuing CAs, and keys outside secure hardware needed a full rebuild.

Encryption Consulting

Engagement Summary · Encryption Consulting · PKI Services

Our Offered

Solutions

The engagement covered a full PKI assessment, platform migration, CA consolidation, HSM deployment with Key Ceremony, hierarchy redesign with offline Root CA, template validation, and CRL distribution configuration.

Capability 01

PKI Assessment & ADCS Migration

Assessed the existing PKI and designed a new ADCS 2016 R2 service, resolving Root CA expiry and replacing end-of-support ADCS 2008.

Capability 02

CP/CPS & CA Consolidation

Created CP/CPS documents, consolidated 9 Issuing CAs to 4, and established governance procedures while reducing redundancy and infrastructure costs.

Capability 03

HSM, Key Ceremony & Hierarchy

Deployed FIPS 140-2 Level 3 HSMs for Root/ICA key storage, defined Key Ceremony procedures with custodian roles and responsibilities, and built an offline Root CA hierarchy with 4 Issuing CAs across 4 domain forests.

Capability 04

Template & CRL Distribution

Validated and created certificate templates for MDM, VPN, and IoT requirements. Configured HTTP and LDAP as CRL Distribution Points.
The result was a rebuilt PKI with a secure offline Root CA, consolidated Issuing CAs, HSM-protected keys, governance documentation, and certificate templates covering current and planned requirements.

Encryption Consulting

Engagement Summary · Encryption Consulting · PKI Services

The Overall

Business Outcome

The PKI assessment and deployment gave the organization a documented, modern PKI infrastructure with defined people, processes, and technology to manage it long-term.

01

Consolidated infrastructure, reduced costs

Consolidated 9 Issuing CAs to 4, reducing redundant infrastructure and maintenance costs. ADCS 2016 R2 replaced the end-of-support system, eliminating Root CA expiry risk.
02

Audit readiness and governance

CP/CPS documentation, custodian roles, and Key Ceremony procedures gave auditors all required information. People, processes, and technology defined for ongoing PKI management.
03

New certificate demands enabled

Enabled MDM, VPN, and IoT requirements through validated and new templates. Issued certificates with a trusted chain for internal web applications, preparing PKI for future needs.

Discover Our

Latest Resources

Education Center

Microsoft Intune Design Models 

Compare Microsoft Intune design models: cloud-native vs hybrid co-management with Configuration Manager. Pros, cons, and how to pick the right architecture.

Read more
Case-Studies

White Paper

The Cert Wars: The Race Against Expiry

One expired certificate (cert) can bring operations to a halt. Discover how to prevent outages and manage certificate expiry before it impacts your business.

Read more
Case-Studies

Video

The 2029 Convergence: Why Microsoft, Google, and Cloudflare All Chose the Same PQC Deadline

Explore expert insights on cybersecurity, PKI, and post-quantum readiness, with practical guidance to strengthen security and future-proof cryptography.

Watch Now
Case-Studies