It turns out that when we replaced all the DCs this summer, we nuked our AD-based CA. Oops. Still, it took us this long to notice it, so we're clearly not using AD-PKI all that much. But getting it back into place is proving challenging. Very challenging.