Master Class
Public Key Infrastructure (PKI)
Deep Dive
Master Class
Public Key
Infrastructure (PKI)
Deep Dive

Course overview

For many, the topic of PKI is a book with (at least) seven seals. It is impossible to imagine today’s world without certificates – the topic of PKI is deeply rooted in security in particular. We have completely rebuilt this course using the knowledge from our PKI training courses over the last few decades.

Target group

This course is aimed at experienced system administrators, consultants and Active Directory designers.

After this seminar you will be able to design, create and operate highly secure public key infrastructures.


At least 5 years of experience with servers and client systems, at least 3 years of experience in Active Directory.

Course objective

In five days you will become a PKI expert. From the basics (private & public keys, digital signature and TLS) to high-end topics such as multi-level PKIs, algorithms, virtual SmartCards and much more: Public Key Infrastructure – after this course you will be juggling all topics related to PKI!

Course content

Windows Server 2016 / 2019 / 2022 PKI

  • Necessity of Public Key Infrastructure ” Securing Public Key Infrastructure
  • Applications through PKI
  • Multi-level PKI (2-level, 3-level)
  • Crytographic procedures: Symmetric, asymmetric (public key), hash (one-way function)
  • Cryptographic algorithms: Symmetric Key (AES-128, AES-256), Hash (SHA-256), Public Key (RSA, Elliptic Curve ECDSA, ECDH)
  • NIST, NSA Suite-B Cryptography
  • Cryptographic standards: X509v3, PKCS etc.
  • CryptoAPI (CAPI) and CNG (Cryptography Next Generation) as well as CAPI2
  • CSP (Cryptographic Service Provider) and KSP (Key Service Provider)
  • Digital Certificate X.509v3 and the fields
  • Windows Cipher Suite
  • PKI applications: Smartcard, SSL/TLS, S/MIME, EFS, Authenticode, IPSec
Design and implementation of a multi-level 2019 PKI:
  • Design of a PKI (single-stage, two-stage and three-stage)
  • Root certification authority (standalone and enterprise certificate authority = CA); SubCA and issuing CA
  • Implementation of a three-tier PKI with an offline Root CA, offline Policy CA and online Enterprise SubCA
  • All certification authorities are set up according to the stricter ISIS-MTT (European standard)!
  • Configure CAPOLICY.INF for the CA installation (key length, lifetime, etc.)
  • Post-installation via ConfigMe.cmd: Automated configuration of the CA registry, CDP and AIA, basic and delta CRL
  • Publish CDP and AIA in Active Directory and on the web server
  • Configuring an offline RootCA: certificate lifetime, key length, registry settings with Certutil -setreg
  • Implement multiple offline policy CAs with CPS (Certification Practice Statemnents) and multiple issuing online Enterprise SubCAs (Issue)
  • Targeted publishing of certificate templates, e.g. Kerberos Authentication, Smartcard Enrollment Agent, etc.
  • Certificate checking: certificate discovery, path validation (trust path) and revocation checking (revocation)
PKI administration with role separation
  • Administrative tasks in a PKI; installing and configuring a CA; renewing CA certificates; key archiving
  • Publishing certificate templates; Restricting certificate administration
  • Role separation: PKI-Admin, PKI-CertManager, PKI-Auditor and Key Recovery Agents
  • Auditing of certification authorities: Start/stop service, publish CRL
  • Certificate registration and denial, security settings, database backup and restore
  • Send CA events by e-mail
  • Type 1, 2, 3 and 4 certificate templates
  • Differences between certificate templates type 1, 2, 3 (2008 R2) and 4 (from 2012)
  • Copying certificate templates
  • The most important certificate template settings:
  • Request processing
  • Application and issuance guidelines
  • Issuance requirements
  • Delegating certificate template management
  • Validity period and extension period
  • Definition of certificate purposes and key usage
  • Key archiving and recovery
  • Manual and automatic enrollment for users and computers
  • Publishing certificates
  • Modification of existing certificate template and renewal of certificate
Key archiving and recovery
  • Windows CA with private key archiving
  • Preparation of the certificate template for key recovery, Key Recovery Agent (KRA) and KRA certificate
  • Encryption of private keys and PKCS#12 certificate
  • Export and import of certificate and private keys
  • Archiving EFS private keys
  • Restoring archived private keys
Windows 10 & Windows Server 2019 Enrollment
  • New features of Windows 10 and Server 2019
  • Easier certificate selection in the Certificate Store
  • New HTTP/HTTPS enrollment (will only be discussed in the course) vs. RPC/DCOM
Smart Cards
  • Kerberos authentication certificate for all domain controllers
  • Install SmartCard reader
  • Smart card enrollment agent, issuing smart card certificates
  • Configure group policies for smart card users and computers
Virtual Smart Card (VSC) – SCAMA – TPM Key Attestation
  • Virtual Smart Card is possible from Windows 8.1, requires TPM 1.2 or higher
  • TPM and smart card certificate template for Windows 10 clients
  • Working with TPMVSCMgr and Mini-Driver manager
  • TPM Key Attestation from 2012 R2 CA
  • Set up SCAMA – Smart Card template with issuance policy (High, Medium, Low Assurance)
EFS Encrypted File System
  • How EFS works
  • Self-signed and CA-signed EFS certificate
  • Revocation of EFS use in an Active Directory environment without PKI
  • Creation of EFS certificate type 4 with key recovery and auto-enrollment
  • Encrypting local files
Certificate Revocation List – CRLOverlap
  • Lifetime of a Base CRL and Delta CRL
  • Lifetime extension through CRLOverlap (overlap)
  • Default values of CRLOverlap and CRLDeltaOverlap
  • How should a CRLOverlap be set?
Online Certificate Status Protocol (OCSP)
  • Create OCSP template
  • Create and set up OCSP array.
  • Set up CA revocation configuration with CRL refresh time
  • Optimize OCSP response
  • OCSP Stapling
  • Local CRL – On-Demand Revocation
Certificate Renewal
  • Renewal of a CA certificate with the same key pair
  • Changing the PKI structure (2-stage to 3-stage and vice versa) by CA certificate renewal
  • Reassign CA to a new PKI structure
  • Restrict the scope of a CA using constraints (path, application, name)
  • Renewal of a CA certificate with a new key pair
  • Cross RootCA certificate
  • Migration or consolidation into a new PKI structure
Auditing & troubleshooting
  • Configure PKI audit
  • Evaluating the events
  • Troubleshooting of certificate enrollment
  • E-mail notification
Network Device Enrollment Service (NDES)
  • Setup and configuration
  • Kerberos delegation
  • Requesting a certificate
Backup / recovery of PKI database
  • The PKI database *.edb, transaction files *.log and checkpoint file
  • “Small” and “large” database backup
  • Restoring CA keys and database
  • Clean up the database by deleting expired certificates
Certificate Lifecycle Notification (optional)
  • Configuring the Task Scheduler
  • Event 1001 to 1007
  • PowerShell script to send e-mail when 1003 appears
  • SCOM Monitor
Training environment

The training environment works entirely with Hyper-V. To set up the training environment proactively, we use a Powershell script with which you can create new virtual machines in seconds. The script was developed by your trainer himself and enables the training to be set up as required by the customer extremely quickly and with little effort.


Each participant is provided with a dedicated server in a data center with a total of 1 Gbit connection to the Internet.

Each participant server is equipped as follows:

  • At least 256 GB RAM up to 768 GB RAM (!)
  • at least 40 vCores
  • 2 NVME SSDs with at least 3,000 MB/s write and at least 2,000 MB/s read speed
  • 1 Gbit to the Internet total bandwidth
Your trainer

The Master Class was developed by Andy Wendel and is conducted by himself and his experienced team.

Andy Wendel is a Senior Data Center and Cloud Architect and Certified Security Master Specialization Advanced Windows Security. He was and is trained by the internationally renowned security experts Paula Januszkiewicz and Sami Laiho. This certification is renewed every year. Andy Wendel has been working as an IT trainer and consultant since the late 1990s and is also a certified Microsoft Learning Consultant (MCLC). Microsoft has only awarded 56 Certified Learning Consultants worldwide.


This post is also available in: German