PKI Fundamentals

Public Key Infrastructure (PKI) is a core service that facilitates authentication, encryption, and digital signing. This course equips learners with the essential skills to design, operate, and maintain PKI. The training begins with an overview of cryptography and the working principals of algorithms. After establishing an understanding of certificates, it discusses considerations for designing a highly reliable Certification Authority structure and showcases useful tools and resources.

Practical implementation examples are given in both Windows and Linux (for 4-day version) environments. Use-cases show how PKI can be used for, among others:

  • securing web servers
  • implementing authentication
  • ensuring software integrity
  • protecting data storage and communication


An ideal candidate will be a systems administrator, network administrator, or hold a similar role.


Delegates should have basic knowledge of Windows Server administration and networking.

Course content


Cryptography Basics


Introduction to Cryptography

  • Symmetric Cryptography
  • Asymmetric Cryptography
  • Hash Functions
  • Security Goals

Usage Scenarios

  • Encryption
  • Signing

Components of PKI

Algorithms, Protocols and Standards

  • DES and 3DES
  • Object Identifiers (optional)
  • X.500, X.509
  • Certificate file formats and extensions

Understanding Certificates

  • Structure and Content
  • Extensions

Getting Started with CAs


Using External CAs

Self-signed Certificates

CA Hierarchy

Writing the Certificate Policy and Certification Practice Statement

Windows Server Certificate Security

  • Choosing an Architecture
  • Implementing a CA Hierarchy
  • Certificate Templates
  • Issuing Certificates
  • Certificate Renewal

OpenSSL on Linux (optional)

Maintaining a CA

  • Verifying and Monitoring
  • Backup

Certificate Revocation

  • Reasons for Revocation
  • Methods of Revocation Checking

Cloud certificate management using Azure Key Vault (optional)

Practical Applications


SSL for Web Server

  • Internet Information Services (IIS)
  • (optional) Apache / nginex
  • (optional) Certificate-based Authentication


  • User Authentication vs Server Authentication
  • SSH
  • Considering Smart Card Logon
  • Virtual Private Networking
  • (optional) Wi-Fi with 802.1x

Encrypting File System (EFS)

  • Local EFS Encryption
  • EFS Within a Domain
  • Recovery

Securing E-Mail

  • Certificate Requirements
  • Signing in Outlook
  • Encryption in Outlook

Code Signing

  • Time Stamping
  • Signing PowerShell Scripts
  • (optional) Signing Visual Studio Files
  • (optional) Signing Office VBScript Code

Other PKI-Enable Applications 

Closing topics 


Best Practices and Compliance

  • NIST Guidelines
  • CA/Browser Forum


Post-quantum Cryptography


Other relevant courses