+1 971 231 5523 info@pkisolutions.com

Advanced Microsoft PKI Training Class

PKI Solutions Inc. Advanced Microsoft PKI Training Class

Advanced Microsoft PKI Training Class


This course is recommended for anyone who has taken the PKI In-Depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.



This advanced PKI class focuses on hand-on labs and topics that build on existing Microsoft Active Directory Certificate Services (ADCS) and PKI knowledge of the student. Students will spend the majority of the class working on real-life scenarios in the lab ranging from deploying enrollment services, hacking OCSP for near real-time revocation checking, SHA1 to SHA2 migrations, disaster recovery scenarios, certificate reporting and CA database management. Advanced topics including Code Signing, key-pair file management and enrollment agents will also be covered.

Who Should Attend: This course is recommended for anyone who has taken the PKI In-Depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.

Course details are available here for download.


Class Syllabus

Network Device Enrollment Service

  • Installation and Security
  • Policy Module
  • Registry Keys and Tweaks
  • Authentication Modifications and Automation
  • Securing NDES Signing Keys with Hardware Security Modules
  • LAB – Deploy NDES and Verify Enrollment with Test Tool

Certificate Authority Web Enrollment

  • Installation and Configuration Details
  • Manual Creation of CAWE websites to support Multiple CAs
  • Modifying and Exploring CAWE Web Pages
  • LAB – Deploying CAWE on Dedicated Server with Kerberos Delegation
  • LAB – Modify CAWE Enrollment Pages

Disaster Recovery

  • Scripting CA Backups
  • Manual Recovery of Issued Certificates Based on SMTP Exit Module Alerting
  • Authoritative AD Restore of ADCS components
  • LAB – Recover a Failed CA
  • LAB – Recover Issued Certificates Manually
  • LAB – CRL Re-signing for Availability

Certificate Services Reporting

  • CA Database Schema and Queries
  • Custom Reporting and Alerting
    • Expiring Certificates
    • Remaining SHA1 certificates
  • Powershell and Certutil cmdlets
  • LAB – Query CA Database and Send Email Alerts

SHA1 to SHA2 migrations

  • Compliance with Microsoft and Google Browser Requirements
  • Partial, Full, and Cross-Signed Migrations
  • Migrating Legacy CSP Keys to Key Storage Provider
  • LAB – Migrate CA to Server 2012 R2
  • LAB – Migrate CA Key to KSP and Implement SHA2

Database Cleanup and Defragmentation

  • Identifying Bloated CA Databases
  • Pruning CA Database to Manage Size
  • Defragmentation and Database Whitespace Management
  • LAB – Clean and Defragment CA Database

Hacking OCSP for Near Real-time Revocation Details

  • Managing Caching Behavior on OCSP Clients
  • Managing Caching Behavior on OCSP Responder
  • Forced Purge of Cache and HTTP MaxAge
  • CRL Re-Sign for Short Term CRL based OCSP Responses
  • Calculating the OCSP Magic Number in Your Environment
  • Deterministic Results and Multi Certificate Queries
  • LAB – Deploy OCSP with 1 Hour Maximum Latency of Revocation

Key Recovery

  • Template and Security Requirements
  • KRA Best Practices and Key Controls
  • Identifying and Extracting Archived Keys
  • LAB – Archive and Recover Encryption Key for User

Keys and Templates

  • Correlating Certificates and Key Files
  • Managing and Repairing Keys
  • Modifying V1 templates
  • Changing Templates from User to Computer and vice versa
  • Kerberos Authentication Templates for Domain Controllers
  • LAB – Certificate and Key File Queries and Repairs
  • LAB – Exporting Non-Exportable Keys
  • LAB – Modify Hidden Template Properties
  • LAB – Deploy Kerberos Authentication Certificates and Verify

Code Signing

  • Creating and Issuing Code Signing Certificates
  • Time Stamping
  • Revocation
  • LAB – Code Signing Scripts and Executables

Restricted Enrollment Agents

  • Deploying High Security Certificates with Restricted Enrollment
  • Best Practices for Enrollment Agents
  • LAB – Manage and Issue Certificate with Restricted Enrollment Agents

Policy CAs

  • Enforcing Issuance Restrictions
  • LAB – Restricting Subordinate CA Issuance

  © Copyright 2013-2017 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies