What’s New PKI Spotlight – Feb 2023 Release

Join Nick Sirikubult, Program Manager for PKI Spotlight, and Michael Bruno, PKI Software Engineer, as they showcase the latest features of PKI Spotlight during our Feb 7 Webinar. We will be adding the entire video along with Q&As to this page.

Nick and Michael displayed the latest first-of-its-kind Best Practices Engine to keep your PKIs and HSMs functional, available, and secure. This version includes:

• Updated Best Practice Playbooks (PKI Solutions’ expertise in PKI Spotlight)
• New Best Practices around Certificate Templates

They also demonstrated how PKI Spotlight will automatically alert you on the presence or absence of PetitPotam (CVE-2021-36942), which can be exploited to launch NTLM Relay Attacks.

In addition, we got into our support for HashiCorp Vault extending PKI Spotlights management support to non-MS ADCS PKIs and a call for early access to help design these functions.

AGENDA

• Latest Best Practices Engine
• PetitPotam Vulnerability Detection and Mitigation Playbook
• Certificate Template Best Practices
• HashiCorp Vault Deep Dive

PetitPotem Escalation Attack Demo

Watch as Mike demonstrates how PKI Spotlight automatically checks if your MS ADCS environment is vulnerable to the PetitPotam NTLM relay attack (CVE- 2021-36942) which could allow an attacker to completely take over an Active Directory Forest, make servers “believe” that that attackers have a legitimate right to access them.

PKI Spotlight also gives your ADCS a clean bill of health from PetitPotam (CVE- 2021-36942). FACT: Hippos are far more dangerous than they look! And all because somebody accepted a default checkbox, you made changes and forgot to revert them back. PKI Admins we know you are juggling multiple roles and might not have the time to focus 100% on PKIs. Don’t worry, in PKI Spotlight you have a trusted advisor!

Kerberos: Prevent Malicious Users from exploiting ADCS certificates and take full control

Watch Mike, your friendly neighborhood malicious actor, take full control* of the AD forest and how PKI Spotlight catches the misconfiguration with Best Practice Checks.

*FULL CONTROL = They can do anything they want. Run as domain admins, set up backdoors, intercept communication, sign whatever they want.

And all because somebody accepted a default checkbox, you made changes and forgot to revert them back.

PKI Admins we know you are juggling multiple roles and might not have the time to focus 100% on PKIs. Don’t worry, in PKI Spotlight you have a trusted advisor!

Here are the Questions & Answers from this Webinar

Q: What are the standards or references for PKI Best practice and compliance?

A: To date PKIs do not have a well-defined best practices and compliance standard. All major controls and benchmarks do not cover PKIs in-depth. PKI Solutions over the years has been working with customers in defining and refining these controls. With PKI spotlight we are capturing and automating visibility into these controls and best practices. We believe that PKI Spotlight is the only product in the industry to offer the functionality.

Q: Does PKI Spotlight supersede PKI assessment or would I still need to run PKI Assessment on top of spotlight??

A: We are including PKI Assessment functionality in PKI Spotlight with real time monitoring of deviations from Best Practices. All new controls and best practices are being developed in PKI Spotlight. In the interim, customers will need to run both to get access to Best Practices that have not been introduced in PKI Spotlight yet.

Please reach out to Carolyn Ballo, carolyn@pkisolutions.com for more details.

Q: Is it possible to test-drive the EJBCA capabilities of PKI Spotlight?

A: The EJBCA extensibility functionality is available as part of PKI Solutions’ Early Access Program. Please contact Nick Sirikulbut, nick@pkisolutions.com for details on participating in the Early Access Program.

Q: Is there a reference to the issue of KB5014754?

A: We are covering MS KB 5014754 and how to get in front of the impending deadlines in our upcoming Webinar.

Q: In reference to this example of the EA and certificate template with subject supply in request, does this function of PKI Spotlight also take into account locked down permissions to enroll on the template? Thinking of numerous false-positive results when NDES is in use.

A: If there are intentional hardened permissions where Supply in the Request without certificate manager approval is detected, you can always suppress the alerting.

Q: Do you have Trials/POC for PKI Spotlight

A: Yes, we offer PKI Spotlight trials/Proof of Concepts.

Please contact Carolyn Ballo, carolyn@pkisolutions.com if you are interested to participate in one.

Q: Does PKI Spotlight test IIS config in third party Registration Authorities?

A: At this point our non-ADCS extensions are CA specific, we’re working on extending for RAs and VAs in the future releases. Please contact

Q: Do you support Thales HSMs ? like monitoring key access or if HA is properly working?

A: PKI Spotlight currently supports nCipher/nShield HSMs with with Thales HSM on the roadmap. But PKI Spotlight can track of the true operational status and availability of ADCS Certificate Authority (CA) and HSMs, indicating whether the Certificate Authority is truly able to digitally sign requests. This feature works with all HSMs. Please refer to the feature deep dive for more details. https://www.pkisolutions.com/spotlight-features/isalive-testing/.

Q: How is the merger with Phenna Group impacting your development of the PKI Solution tools or licensing of those tools?

A: This acquisition will help PKI Solutions to continue to expand its innovations, products, and services to customers around the world.  And will accelerate development and improvements in our products and services.

Here is the Presentation Deck We Used