The Microsoft (MS) Server package already contains a PKI. With that PKI a Certificate Authority (CA) can be established. The trust of the entire system and validity of each issued certificate depends upon the protection of the CA key issuing the identities.Therefore, Microsoft best practices recommend storing private keys on a HSM.
