Truvald™

Full Feature Reference

Everything Truvald™
checks, monitors, and reports.

Truvald™ covers the full breadth of Microsoft ADCS security and health — from ESC attack paths to CRL monitoring to governance documentation. Here's what's under the hood.

Security Assessment Operations Dashboard Certificate Templates GPO Analysis Offline Collector Reports & Exports DR & Compliance Docs Governance Survey Statistics & Logs Requirements
Security Assessment Engine

80+ controls. Every role. Every finding answered.

Truvald™ systematically evaluates your ADCS infrastructure against a library of security controls. Controls are organized by category — each with a consistent ID, severity rating, description, and remediation recommendation. Every control gets an answer. You are never left wondering "was this actually checked?"

Critical
High
Moderate
Low
Informational
Good
ESC
Attack Path Controls
All 16 SpecterOps "Certified Pre-Owned" ADCS privilege escalation paths. Template misconfigurations, CA flags, enrollment agent abuse, NTLM relay, and unauthorized NTAuth entries.
ESC-001 through ESC-016
CA
Certificate Authority
CA certificate validity, chain completeness, CRL configuration, AIA and CDP endpoints, audit policy, HSM protection, role separation, and CA-specific hardening.
CA-001 through CA-031
OS
OS Hardening
Server baseline hardening for CA and management workstations — WDigest, SMBv1, RDP security, LSA protection, NTLMv2, local administrators, Windows Firewall, and audit policy.
OS-001 through OS-019+
GPO
Group Policy
GPO conflict detection, OS-inappropriate settings applied to CA servers, application order analysis via SYSVOL — no Remote Registry required.
Per-server GPO controls
TPL
Certificate Templates
Template permission hygiene, ESC surface mapping, cryptographic algorithm checks, validity period review, and enrollment permission analysis across all published templates.
TPL series controls
SRV
Governance Survey
26-question operational readiness survey covering key protection, backup procedures, CP/CPS documentation, role accountability, and PKI emergency response planning.
SRV-001 through SRV-026
OCSP
OCSP Responder
OCSP responder health, signing certificate validity, revocation configuration, and responder reachability from the assessment workstation.
OCSP-specific controls
NDES
NDES / CEP / CES
Network Device Enrollment Service, Certificate Enrollment Policy, and Certificate Enrollment Web Service specific security and configuration controls.
Role-specific controls

ESC Attack Path Controls (Selected)

  • ESC-001
    SAN Supply via Template
    Templates allowing enrollees to supply Subject Alternative Names with broad enrollment permissions and no manager approval.
    Critical
  • ESC-003
    Enrollment Agent Abuse
    Templates that allow enrollment on behalf of another user without constrained delegation — impersonation to Domain Admin.
    Critical
  • ESC-004
    Template Write Access
    Non-privileged principals with write access to template objects in Active Directory — modification to introduce ESC-001.
    Critical
  • ESC-006
    EDITF_ATTRIBUTESUBJECTALTNAME2
    CA-level flag that allows SAN supply on any template — effectively ESC-001 for every template published on this CA.
    Critical
  • ESC-008
    NTLM Relay to ADCS HTTP
    Web enrollment endpoints (certsrv) exposed without EPA, enabling NTLM relay attacks for machine certificate theft.
    High
  • ESC-016
    Unauthorized CA in NTAuth Store
    Rogue CAs present in the NTAuthCertificates store — can issue certificates for AD authentication without authorization.
    Critical

CA & OS Controls (Selected)

  • CA-002
    CA Certificate Validity
    CA certificate expiry status and remaining lifetime. An expired CA certificate is a catastrophic event — caught here before your users experience it.
    Critical
  • CA-005
    CA Audit Policy
    Verifies that the CA is configured to audit certificate requests, approvals, denials, and revocations. Missing audit events mean blind spots.
    Moderate
  • CA-013
    HSM Key Protection
    CA private key stored in a Hardware Security Module vs. software-only key container. Software keys are extractable by an attacker with local admin.
    High
  • OS-007
    WDigest Authentication
    WDigest enabled causes plaintext credentials to be cached in LSASS memory — retrievable by any process with debug privilege.
    High
  • OS-019
    CA Role Separation
    Validates that users in PKI administrative groups follow appropriate Tier 0 separation — no domain admin accounts in CA admin roles.
    Moderate
  • CA-019
    CRL Freshness
    CRL publication status, time to next update, and delta CRL configuration. A stale CRL causes certificate validation failures across your entire environment.
    Good
Operations Dashboard

Your PKI health at a glance — every morning.

The Operations tab is where you go when you want to know right now if your CAs are healthy, if CRLs are being published, and if your IIS endpoints are responding. Think of it as mission control for your daily PKI operations — no assessment run required.

CA Health View

Consolidated CA Status

Connectivity indicator, CA certificate status, CRL freshness, and AIA/CDP endpoint reachability for all configured CAs at a glance. One click to refresh against all servers.

Certificate Operations

Pending & Failed Requests

Review pending certificate requests across all Issuing CAs. See failed requests with reason codes. Identify unusual volumes that might indicate automation failures or attack activity.

CertFinder

Search Across All CAs

Find any certificate by subject name, Subject Alternative Name, serial number, or template. Searches across all your Issuing CAs simultaneously. Results exportable to CSV.

CRL Management

Monitor & Publish CRLs

View CRL freshness and time-to-expiry for each CA. Publish a fresh CRL directly from the dashboard — no need to RDP to the CA server for routine CRL maintenance.

End-of-Life Tracking

Certificates Nearing Expiry

Identify certificates issued from your CAs that are approaching expiry. Filter by template, validity window, or CA. Export the list to plan renewal campaigns.

PKI Groups

AD Group Membership

Resolve and display membership of your configured PKI administrative groups via LDAP. Useful for access reviews, departure checklists, and Tier 0 group audits.

Certificate Templates

Every template, every permission, fully exposed.

Certificate templates are one of the most overlooked attack surfaces in Active Directory. They're configured once — usually by someone who has since left the organization — and then just sit there. Truvald™'s template analysis surfaces the risk before your next pen test does.

  • Discovers all templates published across configured CAs
  • Maps ESC attack surface for each template — enroll, autoenroll, full control, write
  • Cryptographic algorithm, minimum key size, and signature hash review
  • Validity period and renewal window review
  • Export full template inventory to PDF or Excel
  • Template OID, internal name, and display name cross-reference
  • Subject name format — Supplied by Requester vs. Built from AD flags
  • Manager approval requirement and enrollment agent restrictions
Certificate Templates — inventory view
GPO Analysis

GPO conflicts caught before they become incidents.

Group Policy and PKI have a complicated relationship. GPOs configure your CA servers, apply security baselines, and distribute certificates — and in some cases quietly break your PKI in ways that take days to diagnose. Truvald™'s GPO analysis surfaces those problems automatically.

  • Reads GPO data directly from SYSVOL — works even with Remote Registry disabled
  • LDAP walk of OU hierarchy to discover linked GPOs by gPLink attribute
  • Conflict detection — same registry key defined differently across GPOs
  • OS-inappropriate setting detection — workstation policies on CA servers
  • GPO application order display — exactly which value wins and why
  • Risk acceptance for GPO findings with PIN verification and audit record
GPO Analysis
Offline Collector Mode

No direct access? No problem.

The Offline Collector handles air-gapped environments, segmented networks, cloud-isolated infrastructure, and offline Root CAs. No separate installer or agent — just the same Truvald™ executable in collector mode.

Collection

Comprehensive Data Capture

Registry settings, CA configuration, certificate chain, CRL configuration, GPO data from SYSVOL, OS hardening baseline, local administrators group, service configurations, Windows features inventory, and event log entries.

Security

AES-256-CBC Encryption

Every collected package is AES-256-CBC encrypted with a session-unique key. The package cannot be read without importing it through Truvald™. Safe to transfer by USB, email, or any file transfer method.

Compatibility

All ADCS Roles Supported

Collector mode auto-detects the ADCS roles installed on the target server — Certificate Authority, OCSP, NDES, CDP, CEP, CES, and management workstations. Collects the appropriate data set for each role.

Reports & Exports

Assessment results that go somewhere.

Truvald™ can produce Word assessment reports, PDF and Excel template exports, and CSV data files. Use your own branded Word template as a base — Truvald™ injects its findings into your document style.

Full Assessment Report

Word Document (.docx)

Configurable sections: Executive Summary with severity counts, Overview Findings Grid, Per-Role Chapters with detailed findings, Statistics Matrix, and Appendices with control reference and glossary. Your organization name and logo are embedded automatically.

Template Exports

PDF & Excel

Export the complete certificate template inventory with all collected attributes — cryptography, permissions, validity, ESC surface — to PDF or Excel for distribution, archiving, or compliance evidence.

CertFinder & Event Logs

CSV Export

Export CertFinder search results and event log queries to CSV for further analysis in Excel, SIEM, or any data tool. Full field set included — no truncation.

Custom Branding

Bring Your Own Template

Provide a branded Word document as your report base — Truvald™ uses your header, footer, styles, and cover page design and appends its content in your organization's visual identity.

Disaster Recovery & Compliance Documentation

One click. Everything your recovery team needs.

A PKI that can't be recovered is a liability, not an asset. Truvald™ generates complete, current disaster recovery documentation for your CA infrastructure in a single action — so when something goes wrong at 2am on a Sunday, the person rebuilding your Root CA isn't starting from a four-year-old Word document and prayers.

DR documentation is generated from live data — not filled in manually by an admin who hasn't touched the CA since 2021. Every time you generate it, it reflects the actual current state of your CA configuration: cryptography, extensions, CRL distribution points, key storage, role assignments, and recovery procedures specific to your environment.

Keep it in your runbook. Store it with your HSM credentials. Give it to your disaster recovery team. It's the document that gets your PKI back online instead of rebuilt from scratch.

DR documentation covers: CA role and hierarchy · Key storage and HSM details · CRL and CDP configuration · Certificate extensions and policy · Validity periods and renewal schedule · Recovery procedure steps specific to your CA build
Always Current

Generated from live data

Because it reads your actual CA configuration at generation time, the document is accurate the moment it's produced — not the moment someone last remembered to update it.

One Action

No manual assembly

Click generate. Truvald™ collects, formats, and produces the complete DR package. No copy-pasting from certutil output, no spreadsheet, no screenshotting the CA properties dialog.

Authoritative References Built Into Every Report

Every control in a Truvald™ assessment report includes direct references to the authoritative source that defines it — so findings aren't just assertions, they're documented positions you can defend. When an auditor asks why ESC-003 is a Critical, the answer is in the report with a link to the research that established it.

References include NIST publications (SP 800-57, SP 800-32), Microsoft PKI documentation and security advisories, SpecterOps Certified Pre-Owned research, CIS benchmarks, and RFC specifications where applicable. The report your CISO hands to an auditor has the receipts built in.

NIST

SP 800-57 · SP 800-32 · SP 800-52

Key management, PKI policy, and TLS guidelines referenced in cryptography and configuration controls.

Microsoft

ADCS documentation & security advisories

Vendor-specific configuration guidance and known vulnerability advisories cited directly in relevant findings.

SpecterOps

Certified Pre-Owned research

The foundational ESC-001 through ESC-016 attack path research is referenced for every applicable template and configuration finding.

Quantum Readiness

Post-quantum cryptography isn't a distant concern — NIST finalized its first post-quantum standards in 2024, and organizations are beginning the long process of inventorying and migrating their cryptographic infrastructure. PKI is at the center of that transition.

Truvald™ assesses the cryptographic posture of your entire CA hierarchy: key algorithms, key lengths, signature algorithms, hash functions across CAs, templates, and issued certificates. That inventory is the starting point for any quantum readiness program — you can't migrate what you haven't mapped.

Controls flag RSA key lengths below current NIST guidance, weak hash algorithms (MD5, SHA-1), and cryptographic configurations that will need to be addressed as post-quantum standards are adopted into Windows and enterprise PKI tooling. Truvald™ gives you the map. The migration work is yours — but at least you know what you're walking into.

Cryptographic Inventory

Know what you have

Full visibility into every algorithm and key length in use across your CA hierarchy, templates, and certificate population — the prerequisite for any crypto-agility or PQC migration plan.

Weak Algorithm Detection

SHA-1. MD5. RSA-1024.

Findings flag deprecated algorithms and sub-standard key lengths against current NIST guidance so you know exactly what needs to move first.

Forward-Looking Controls

Built for what's coming

As post-quantum standards land in Windows and ADCS, Truvald™ controls will track adoption. The assessment framework is designed to grow with the threat landscape.

Operational Readiness Survey

The governance questions nobody wants to answer.

Not everything about PKI security can be verified by reading a registry key. The Operational Readiness Survey covers the governance side — 26 structured questions that map directly to SRV-series controls and affect your overall assessment posture.

Survey answers are PIN-protected — because they're part of your audit record and changes should be intentional. Every edit is logged with timestamp and reason. Answering "Yes" produces a Good finding. Leaving it blank — or answering "No" — produces a finding at the appropriate severity.

Survey categories: Key protection · CA backup and recovery · CP/CPS documentation · PKI role accountability · Incident response · Change management · Certificate lifecycle procedures · Third-party CA trust
Operational Readiness Survey
Statistics, Event Logs & Scheduled Tasks

Numbers, logs, and schedules that actually run.

The Statistics tab gives you a matrix view of findings by role and severity for executive reporting. The Event Logs viewer queries Windows events remotely from all your CA servers. Scheduled Tasks tracks certificate-related automation across your infrastructure.

Statistics Tab

Findings Matrix

Role × severity matrix. Click any cell to drill directly to filtered findings. Designed for executive briefs and steering committee reports.

Event Logs

Remote Log Viewer

Query Windows event logs from CA servers — filter by server, time range, level, and Event ID. No RDP required. Export results to CSV.

Scheduled Tasks

Task Inventory

Discover and review certificate-related scheduled tasks across your CA servers — CRL publication jobs, certificate renewal automation, and any tasks that shouldn't be there.

Documentation

Built-in Reference

Every control has built-in documentation — what it checks, what the risk is, and where the authoritative reference lives. No more tab-switching to Microsoft docs during an assessment.

Statistics — Findings Matrix
System Requirements

Lightweight. No infrastructure changes required.

Truvald™ runs on a Windows workstation or management server. No agents to install, no infrastructure changes, no inbound firewall rules on your CA servers. Truvald™ connects outbound to your CAs over standard Windows remote administration protocols.

Designed for Privileged Access Workstations. Run Truvald™ from your PAW or dedicated management system and never touch your CA servers directly. No RDP sessions to leave disconnected, no credentials cached on a CA console, no bad habits to apologize for later. Your PKI assessment stays where it belongs — on a hardened management workstation with controlled network access — and your CA servers never know you were there.
Requirement Details
Assessment Workstation OS Windows 10 (64-bit) or Windows 11; or Windows Server 2016/2019/2022
.NET Runtime Compiled into Truvald™ — no separate installation required.
Network Access TCP 135 + high ports (DCOM/RPC) and SMB 445 to CA servers for live assessment. LDAP 389/636 and SMB 445 for GPO analysis via SYSVOL. Not required for Offline Collector imports.
Permissions Domain account with local administrator rights on target CA servers, or a dedicated service account with equivalent delegation. LDAP read access to Active Directory.
CA Server Requirements Windows Server 2012 R2 or later with ADCS installed. Remote Registry service not required when using Offline Collector. IIS checks require IIS to be installed and running.
Database Truvald™ maintains a local SQLite audit database for risk acceptances, survey answers, and assessment history. No SQL Server required.
Offline Collector Target Any Windows Server with ADCS roles installed. Requires local administrator access on the target server during collection. No inbound network access required.
Display Minimum 1280 × 800. Truvald™ has a custom UI with full DPI awareness and dark mode support.
PAW / Management System

Stay on your management workstation. Always.

Truvald™ is built to run from a Privileged Access Workstation or dedicated management system. It reaches out to your CA servers over RPC and LDAP — you never need to open an RDP session, log an interactive console session, or leave credentials sitting on a CA.

Every assessment, every health check, every GPO query happens remotely and silently. Your CA servers stay clean. Your audit logs stay clean. Your security team stays happy.

No Bad RDP Habits

Disconnected sessions are somebody else's problem now.

You know the habits — RDP into the CA to check something, get pulled into a meeting, leave the session disconnected for three days. Credentials cached. Session exposed. Security team having a quiet breakdown.

Truvald™ eliminates the need for that entirely. Run your assessment from your PAW, get your results, close the window. The CA never had a logged-on user session. That's the right way to manage Tier 0 infrastructure.

Download Truvald™ About BrkrOps™ Inc.