Summer 2026 Product Release: PKI

Key Takeaways

• You can migrate off AD CS without disruption by using a guided, validate-as-you-go workflow that runs the legacy and new CAs in parallel, re-enrolls in-flight certificates automatically, and gives you explicit rollback control at every checkpoint, turning a feared cutover into a routine, auditable project.
• AD CS is no longer the limiting factor it once was for raw issuance, but it still lags on cloud-native delivery, cross-platform enrollment, and lifecycle automation at scale.
• Migration is the ideal moment to layer in PQC-ready certificates, so modernization and quantum readiness happen in a single project rather than two.
• An AI-assisted CPS interpretation step collapses days of manual certificate-policy translation into minutes.
• When choosing a migration tool, weigh automation, scale, and CA-agnostic control against your actual estate rather than a generic feature checklist.

For more than two decades, Microsoft Active Directory Certificate Services (AD CS) has been the default engine of enterprise trust, issuing the certificates that authenticate users, secure devices, and underpin Windows-domain identity. The demands now placed on PKI, however, look nothing like the demands of 2006. Workloads have shifted to the cloud, certificate volumes have exploded alongside machine and non-human identities, validity periods are shrinking, IoT and connected devices are proliferating, and post-quantum cryptography has moved from theory to shipping infrastructure. The infrastructure that quietly held the line for years is now the constraint teams need to design around.

The good news: modernizing no longer means a risky rip-and-replace. With the right tooling, migrating off AD CS becomes a structured, validated workflow that doubles as a leap toward crypto-agility and quantum readiness.

Why legacy PKI struggles with what comes next

AD CS was designed for a static, on-premises, Windows-centric world. Certificate templates lived inside Active Directory, auto-enrollment ran on a predictable cadence, and “scale” meant a handful of issuing CAs serving a single forest. Today, security teams operate in a different environment, where several pressures compound at once:

• Certificate volumes have grown sharply as users, workloads, containers, and devices each demand their own identity.
• Shorter validity periods mean issuance must be automated. Under CA/Browser Forum Ballot SC-081v3, the maximum public TLS validity drops from 398 days to 200 days in March 2026 and reaches just 47 days by March 2029.

• Hybrid and multi-cloud workloads expect PKI services that live well outside the AD domain.
• Crypto-agility, including post-quantum readiness, has become a board-level concern now that NIST finalized its first PQC standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA).

As of the May 2026 Windows Server 2025 update, AD CS can natively issue ML-DSA post-quantum certificates. The gap is no longer “AD CS can’t do PQC”, but rather operational: AD CS still depends on Windows Server Infrastructure, offers no native cloud integration, and was not designed to automate issuance and renewal across Linux, container, and DevOps pipelines at the volumes shorter lifecycles now require. Microsoft itself notes that PQC-capable CAs must be stood up anew rather than upgraded in place, which means modernization is unavoidable regardless of platform.

Capability	Legacy AD CS	AppViewX PKI
Deployment model	On-prem Windows Server	Cloud-native, SaaS-delivered
Cross-platform enrollment	Windows-centric, workarounds for non-Windows	ACME, EST, SCEP, NDES, CMP, and Windows auto-enrollment
Lifecycle automation	Limited; often manual or scripted	End-to-end certificate lifecycle management
PQC issuance	Native ML-DSA (new CAs only, WS 2025)	PQC-ready certificates with automated discovery and management
CA-agnostic management	Single-vendor	Manage any public or private CA from one platform
Policy authoring	Manual CP/CPS interpretation	AI-assisted CPS-to-policy generation

The reason most teams have waited is risk. Templates, group policies, auto-enrollment plumbing, and decades of certificate dependencies make migration look complex and disruptive. So the gap between what their PKI can do and what their business needs keeps widening. The opportunity is to remove that risk, not to keep deferring it.

What’s new: A guided AD CS migration utility, purpose-built for the enterprise

To close that gap, AppViewX has introduced a purpose-built AD CS Migration Utility Wizard within AppViewX PKI. It is a guided, validated, and auditable workflow that walks administrators through every step of moving Microsoft Certificate Authority (MSCA/AD CS) configurations to AppViewX PKI, without disrupting the applications, endpoints, and users that depend on them. It builds directly on the phased migration foundations introduced in the Spring 2026 release.

Three design choices set it apart:

• The wizard does the heavy lifting. Discovery of Microsoft AD CS instances, source-to-target CA mapping, and recreation of certificate templates in AppViewX are all handled automatically, with administrators reviewing and approving rather than rebuilding by hand.
• Modernization, compounded. Migration is the perfect moment to introduce PQC-ready certificates, and because AppViewX PKI supports post-quantum algorithms natively, customers can leave AD CS and step into a quantum-safe posture in the same project.
• Policy on autopilot. A new CPS interpretation engine reads a plain-English Certificate Practice Statement in PDF format, uses an AI framework to extract cryptographic policies and validity parameters, and auto-generates a ready-to-use CLM Certificate Policy. No manual re-entry, no misinterpreted or mis-typed configurations.

Continuity comes from parallel CA operation, hierarchical mapping, and CA Switch for in-flight certificates. Control comes from clear progress tracking, validation checkpoints, and explicit rollback guidance. In short: a modernization journey that respects the gravity of PKI and the reality of production.

How it works: A validate-as-you-go workflow

The migration utility is launched directly from the AVX Platform (under the CA Migration section) and advances stage by stage, moving forward only when each checkpoint passes.

1. Pre-Validation and Permission Checks. Before anything is touched, the system verifies Enterprise Admin and Domain Admin privileges, validates network reachability to Active Directory over the Kerberos and LDAP ports, and confirms that AppViewX has rights to create templates and manage CA configurations. Missing permissions block the flow with clear, actionable remediation – no surprises mid-migration.

2. Discovery of MSCA CA Instances. Once the Windows Gateway is deployed as a secure bridge, the utility automatically discovers Root and Subordinate CAs across the AD forest. Administrators pick a strategy: fully migrate the Root CA into AppViewX, or keep the Root in Microsoft and modernize at the Subordinate (Issuing) tier.

3. Source-to-Target CA Mapping. Each AD CS CA is presented alongside a dropdown of AppViewX PKI CAs of the matching type. The UI maintains hierarchical awareness – preferring sub-CAs that sit under the mapped Root – and offers a one-click path to Create New PKI CA when needed, without ever leaving the workflow.

4. Template Retrieval and Equivalent Creation. The utility pulls AD-published certificate templates and extracts the attributes that matter – Extended Key Usage (EKU), Key Usage (KU), OID, validity period, renewal window, and key length. Each template is cloned with an AVX_PKI prefix, and a corresponding AppViewX template is created, mapped to the right issuer, and set up for auto-enrollment. Administrators can review, edit, and group templates before committing.

5. WAEP and Enrollment Server Setup. Finally, the wizard configures the Windows Auto-Enrollment Protocol (WAEP) agent, deploys the AppViewX Enrollment Server, registers it in Active Directory, and publishes Root and Intermediate trust – all script-driven, all validated, and all observable from the same UI.

Throughout the journey, in-flight certificates are not left behind. AppViewX’s CA Switch capability in the CLM module re-enrolls existing certificates from the old CA to the new one, surfacing migration readiness in the Process Explorer so teams can validate before they cut over. This is the same Windows auto-enrollment integration that lets AppViewX PKI replace a Microsoft CA without an additional client footprint.

Two adjacent capabilities make the migration a true modernization moment. First, the AppViewX PKI CAs created during mapping can be configured to issue post-quantum-ready certificates, so newly migrated templates start crypto-agile by design, no second project, no second outage window.

Second, the CPS interpretation engine lets administrators upload their existing Certificate Practice Statement as a PDF: the platform parses it with an AI framework, surfaces the extracted key parameters (validity, key algorithm, bit length, hash algorithm, ECC curves) for human review, and generates a fully-populated CLM Certificate Policy. Policy work that used to take days to weeks of cross-team interpretation collapses into minutes, with every action captured in the audit log.

The business outcome: Modernize without the risk premium

For PKI and security leaders, the value of a guided migration shows up in three places that matter to the business:

• Lower migration risk. Pre-validation, parallel CA operation, and rollback guidance mean PKI modernization no longer demands a maintenance window the size of a holiday weekend.
• Faster time-to-modern-PKI. What used to be a multi-quarter consulting engagement becomes a structured, auditable workflow that PKI teams can execute themselves, often in days, not months.
• Two modernization wins from one project. Because the wizard auto-discovers, maps, and recreates CAs and templates, teams can layer PQC-ready certificates and AI-interpreted certificate policies into the same migration, turning a forced lift-and-shift into a strategic leap.
• A platform ready for what is next. AppViewX PKI is cloud-native, automation-first, and post-quantum-ready. Migrating off AD CS is not a lateral move, but a foundation for short-lived certificates, machine identity at scale, crypto-agility, and PQC.

The next chapter of trust will be built on a PKI that is more modern, more automated, and more agile. With the new AD CS Migration Utility, the path from one to the other is automated and free of manual errors.