Advanced Microsoft PKI training


This course is recommended for anyone who has taken the PKI In-depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.

SKU: PKI002 Category:


This advanced PKI class focuses on hand-on labs and topics that build on existing Microsoft Active Directory Certificate Services (ADCS) and PKI knowledge of the student. Students will spend the majority of the class working on real-life scenarios in the lab ranging from deploying enrollment services, hacking OCSP for near real-time revocation checking, CA migrations, SHA1 to SHA2 migrations, disaster recovery scenarios, certificate reporting and CA database management. Advanced topics including code signing, key-pair file management and enrollment agents will also be covered.

Class audience: This course is recommended for anyone who has taken the PKI In-depth training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with ADCS.

Course details are available here for download.


Class syllabus

Network Device Enrollment Service

  • Installation and Security
  • Policy Module
  • Registry Keys and Tweaks
  • Authentication Modifications and Automation
  • Securing NDES Signing Keys with Hardware Security Modules
  • LAB – Deploy NDES and Verify Enrollment with Test Tool

Certificate Authority Web Enrollment

  • Installation and Configuration Details
  • Manual Creation of CAWE websites to support Multiple CAs
  • Modifying and Exploring CAWE Web Pages
  • LAB – Deploying CAWE on Dedicated Server with Kerberos Delegation
  • LAB – Modify CAWE Enrollment Pages

Disaster Recovery

  • Scripting CA Backups
  • Manual Recovery of Issued Certificates Based on SMTP Exit Module Alerting
  • Authoritative AD Restore of ADCS components
  • LAB – Recover a Failed CA
  • LAB – Recover Issued Certificates Manually
  • LAB – CRL Re-signing for Availability

Certificate Services Reporting

  • CA Database Schema and Queries
  • Custom Reporting and Alerting
    • Expiring Certificates
    • Remaining SHA1 certificates
  • Powershell and Certutil cmdlets
  • LAB – Query CA Database and Send Email Alerts

SHA1 to SHA2 migrations

  • Compliance with Microsoft and Google Browser Requirements
  • Partial, Full, and Cross-Signed Migrations
  • Migrating Legacy CSP Keys to Key Storage Provider
  • LAB – Migrate CA to Server 2012 R2
  • LAB – Migrate CA Key to KSP and Implement SHA2

Database Cleanup and Defragmentation

  • Identifying Bloated CA Databases
  • Pruning CA Database to Manage Size
  • Defragmentation and Database Whitespace Management
  • LAB – Clean and Defragment CA Database

Hacking OCSP for Near Real-time Revocation Details

  • Managing Caching Behavior on OCSP Clients
  • Managing Caching Behavior on OCSP Responder
  • Forced Purge of Cache and HTTP MaxAge
  • CRL Re-Sign for Short Term CRL based OCSP Responses
  • Calculating the OCSP Magic Number in Your Environment
  • Deterministic Results and Multi Certificate Queries
  • LAB – Deploy OCSP with 1 Hour Maximum Latency of Revocation

Key Recovery

  • Template and Security Requirements
  • KRA Best Practices and Key Controls
  • Identifying and Extracting Archived Keys
  • LAB – Archive and Recover Encryption Key for User

Keys and Templates

  • Correlating Certificates and Key Files
  • Managing and Repairing Keys
  • Modifying V1 templates
  • Changing Templates from User to Computer and vice versa
  • Kerberos Authentication Templates for Domain Controllers
  • LAB – Certificate and Key File Queries and Repairs
  • LAB – Exporting Non-Exportable Keys
  • LAB – Modify Hidden Template Properties
  • LAB – Deploy Kerberos Authentication Certificates and Verify

Code Signing

  • Creating and Issuing Code Signing Certificates
  • Time Stamping
  • Revocation
  • LAB – Code Signing Scripts and Executables

Restricted Enrollment Agents

  • Deploying High Security Certificates with Restricted Enrollment
  • Best Practices for Enrollment Agents
  • LAB – Manage and Issue Certificate with Restricted Enrollment Agents

Policy CAs

  • Enforcing Issuance Restrictions
  • LAB – Restricting Subordinate CA Issuance