This episode features Jake Hildreth, Principal Security Consultant at Semperis.

With nearly 25 years of IT experience, Jake has seen how Active Directory Certificate Services (AD CS) can quietly become the most fragile, and most dangerous, part of an enterprise’s identity infrastructure. Misunderstood, neglected, and often misconfigured, AD CS can hand attackers the ability to impersonate anyone in the organization.

In this episode, Jake demystifies why certificates feel like “cult knowledge,” explains how simple missteps in AD CS cascade into critical risks, and shares real-world lessons from the front lines. He also introduces tools designed to help overworked admins find and fix issues before adversaries exploit them.

This is a candid look at one of the least understood but most critical components of identity security, and the steps every security team should take now to avoid becoming the slowest gazelle in the herd.

Guest Bio

Jake Hildreth is a Principal Security Consultant at Semperis, Microsoft MVP, and longtime builder of tools that make identity security suck a little less. With nearly 25 years in IT (and the battle scars to prove it), he specializes in helping orgs secure Active Directory and survive the baroque disaster that is Active Directory Certificate Services.

He’s the creator of Locksmith, BlueTuxedo, and PowerPUG!, open-source tools built to make life easier for overworked identity admins. When he’s not untangling Kerberos or wrangling DNS, he’s usually hanging out with his favorite people and most grounding reality check: his wife and daughter.

Guest Quote

" The thing that you practice, whether it's one or a million things you're going to practice will never happen, but the thing that does will be informed by the muscle memory you've developed over that practice period. And you'll know that you either can or cannot weather the storm with your own resources.”

Time stamps

05:00 Why Are People Afraid of Certificates?

07:52 Basics of Public Key Infrastructure (PKI)

17:36 How AD CS Integrates with Active Directory

20:20 Setting Up and Configuring AD CS

23:19 Active Directory and Certificate Services Integration

23:54 Consequences of a Compromised AD

25:55 Primary Use Cases for AD CS

28:39 Recommendations for Managing AD CS

30:46 Locksmith: A Tool for AD CS Issues

34:06 Common Security Issues in AD CS

38:28 Steps to Improve AD CS Security

Sponsor

The HIP Podcast is brought to you by Semperis, the leader in identity-driven cyber resilience for the hybrid enterprise. Trusted by the world’s leading businesses, Semperis protects critical Active Directory environments from cyberattacks, ensuring rapid recovery and business continuity when every second counts. Visit semperis.com to learn more.

Links

Connect with Jake on LinkedIn

Learn about Locksmith

Learn about Purple Knight

Connect with Sean on LinkedIn

Don't miss future episodes

Register for HIP Conf 2025

Learn more about Semperis