Mastering Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a core service that facilitates authentication, encryption, and digital signing. This 4-day course teaches the skills required to design, operate, and maintain your PKI system. The training begins with an overview of cryptography and the working principals of algorithms. After gaining an understanding of certificates, you will learn about the considerations for designing a highly reliable Certification Authority structure. Practical implementation examples are given in both Windows and Linux environments. Use-cases show how PKI can be used for, among others, securing websites, encrypting storage, validating executable code, and protecting communication.


Systems administrator, network administrator, security professionals and other people responsible for network and perimeter security.

Course level: 200-300


Basic knowledge of Windows Server administration and networking.

Course outline:

 Cryptography Basics:

  • Introduction to Cryptography:
    • Symmetric Cryptography
    • Asymmetric Cryptography
    • Hash Functions
    • Security Goals
  • Usage Scenarios
    • Encryption
    • Signing
  • Components of PKI
  • Algorithms, Protocols and Standards
    • DES and 3DES
    • RSA
    • Object Identifiers
    • X.500, X.509
    • PKCS#10, PKCS#
  • Understanding Certificates
    • Structure and Content
    • Extensions

Getting Started with CAs:

  • Using External CAs
  • Self-signed Certificates
  • CA Hierarchy
  • Writing Policies
    • Certificate Policy
    • Certification Practice Statement
  • Windows Server Certificate Security
    • Choosing an Architecture
    • Implementing a CA Hierarchy
    • Certificate Templates
    • Issuing Certificates
    • Certificate Renewal
  • OpenSSL on Linux
  • Maintaining a CA
    • Verifying and Monitoring
    • Backup
  • Certificate Revocation
    • Reasons for Revocation
    • Methods of Revocation Checking

Practical Applications:

  • SSL for Web Server
    • Internet Information Services (IIS)
    • Apache
    • (optional) Certificate-based Authentication
  • Authentication
    • User Authentication vs Server Authentication
    • Considering Smart Card Logon
    • Virtual Private Networking
    • (optional) Wi-Fi with 802.1x
  • Encrypting File System (EFS)
    • Local EFS Encryption
    • EFS Within a Domain
    • Recovery
  • Securing E-Mail
    • Certificate Requirements
    • Signing in Outlook
    • Encryption in Outlook
  • Code Signing
    • Time Stamping
    • Signing PowerShell Scripts
    • (optional) Signing Visual Studio Files
    • (optional) Signing Office VBScript Code
  • Other PKI-Enable Applications