Nice white paper from MS:​ http://aka.ms/securingpki