Any PKI infrastructure you choose is bound to have it s up sides and it s downsides. I can tell you from experience that the Microsoft PKI products generally play pretty well with other Microsoft products but tend to have interoperability problems with other non-Microsoft products. Over time, my understanding is is that their oldest PKI products have gotten progressively more standards compliant, but they still have their quirks.

Time stamping authorities are useful if you have concerns about the replay of signed messages:

http://en.wikipedia.org/wiki/File:Trusted_timestamping.gif

But it means that every end entity will need to use that TSA when generating signatures.

If you re using your digital certificates for SSL, you won t need it, unique per-transaction proof of private key is part of the protocol. If you are doing web authentication, many authentication mechanisms will use either SSL client auth or do something to force the private key to sign a unique value to assure that there is no man in the middle attack.

I m not quite sure what you mean by "Signature Proof". If you mean including a random, and unique value in every hash to avoid replay attacks, then the same advice as TSA applies. But I m guessing here.

It will all come down to -- what are you using it for? how well does it need to perform? how do users and other systems need to interface with it?

Given that PKI is expensive, not matter how you slice it, you ll want to take some serious time thinking this one out. Between the cost of licenses, the cost of installation (manhours) and the cost of maintenance, it s a major commitment worth system level requirements development and design.

The question really comes down to the scope of use. If the PKI will only be used internally within your organization, then Microsoft s Certificate Services product provides a decent PKI platform. However, if you re certificates may be used externally -- customers, vendors, etc. -- then you probably want to investigate using a trusted third-party PKI provider like VeriSign, Cybertrust (Verizon Business), etc.

We run Microsoft CS internally and it works well, particularly since one of our primary use cases is auto-enrollment of certificates via Active Directory. It allows IIS, VPN clients, etc. to automatically get certificates issued to them on an as-needed basis.

It s not the most full-featured PKI product I ve worked with. If you re looking for a really advanced feature set, then you should look at Red Hat s Certificate Services product. It s also open-sourced as the Dogtag PKI project.