Hello all,

  I was asked to evaluate replacements for my current on-premises ADCS setup. Currently we run an offline root and online issuing CA's to provide a large number of machine, SSL and a small number of smartcard certs to the enterprise. We employ different mechanisms to interact with the PKI - custom web-based enrollment portal, SCEP, ADCS web services and Windows auto-enrollment. The root CA's use offline HSMs, while the online CAs use online network HSMs - all from Gemalto / safenet.   The evaluation is more to confirm that we are on the right track before we invest in the on-premises PKI in the way  of hardware refreshes, OS upgrades etc.   I am hearing that managed CA offerings are now viable cost wise and they would give us public trust as well. (earlier they were not feasible because of the per-certificate charge). I do not know if there is an Azure offering for PKI as yet. Does anyone have more information / thoughts on these two options?   thanks, -Ravi