Securing Active Directory Certificate Services with Ron Arestia

Feb 11, 2026

Ron Arestia, a senior security researcher specializing in ADCS and PKI at Microsoft DART. He discusses how neglected ADCS setups enable lateral attacks. He explains PKI tiers, offline root importance, revocation and CRL practices. He compares running enterprise PKI versus cloud options and outlines common misconfigurations attackers exploit.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

PKI Is The Root Of Trust

PKI is the foundational trust layer for organizational cryptography and must be properly designed.
Neglecting Active Directory Certificate Services leaves broad attack surfaces and systemic risk.

ADVICE

Write Your PKI Design First

Document everything before you deploy ADCS and fill installer values from that plan.
Treat 90% of a PKI project as documentation to make deployments repeatable and secure.

ADVICE

Keep The Root CA Offline

Use an offline root CA and store its private key securely (for example on a disconnected VM image in a safe).
Rehydrate the PKI from the root key if needed instead of relying on a single online root.

Get the Snipd Podcast app to discover more snips from this episode