Although MS may have a bastardized implementation of PKI, it has some primary flaws. For starters, MS will only allow their domain controller certs to be constructed in some specific fashion. If you are a small firm and it is inexpensive to gut your PKI quickly, then play with MS implementations.

Stick with standards compliance for larger implementations. You never know how someone is going to need to use your infrastructure, and it is a REAL PAIN to adjust (bigger = exponentially harder). For example, one day you might need to do something with hardware cards or trusted peers. If your chosen version doesn't play that way, you could be screwed. Just find another job, fast.

If all you want is single sign on with a piece of plastic, buy a SSO solution and be done with it. But if you want a root CA, subordinate CAs which issue hardware, software, server, and mcs credentials, then that's a real PKI.

If you don't have the facilities to handle physical security needed for a PKI, then find a vendor.

The first part of PKI is Policy (read - legal junk that gives your Base64 blobs some sort of validity). You need a CP and a CPS and that requires a lot of typing. Once you get that down, then you can survey offerings and find what you need. Some hints at decent products are from Novell and a section of RedHat that was formerly known as NSS.

I'm not stricly MS bashing, but some will see 2 linux vendors and say "oh, he just hates Windows". Fact is there are plenty of PKI standards and Microsoft doesn't do it correctly - why should they when everyone uses Windows to sign in.

I sure hope you are not working on HSPD12

That seems a bit strong. Doesn't it still bring up your default browser when you click on a search result?