Self-Paced Microsoft ADCS Advanced Online Training


This course is recommended for anyone who has taken the PKI In-depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.

SKU: PKI012 Categories: ,


We offer group and corporate-wide subscription based enrollment options for our online courses. Offering on-going access to training on demand, for a set number of seats per year. Details available here.

This course will be delivered electronically in a self-paced environment. You will receive access to download the student materials, lab manual and supporting materials. The course will feature video, audio and slide based content. It will cover all of the same topics and lessons as our in-person courses.

This advanced PKI class focuses on hand-on labs and topics that build on existing Microsoft Active Directory Certificate Services (ADCS) and PKI knowledge of the student. Students will spend the majority of the class working on real-life scenarios in the lab ranging from deploying enrollment services, hacking OCSP for near real-time revocation checking, CA migrations, Certificate Authority migrations, disaster recovery scenarios, certificate reporting and CA database management. Advanced topics including code signing, key-pair file management and enrollment agents will also be covered.

Once enrolled, you will have unlimited access to the course material for 90 days to complete at your own pace. Corporate subscriptions are not time-limited.

Class audience: This course is recommended for anyone who has taken the PKI In-depth training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with ADCS.

Course details: Download here.


Network Device Enrollment Service

  • Installation and Security
  • Policy Module
  • Websites to support Multiple CAs
  • Modifying and Exploring CAWE Web Pages
  • LAB – Deploying CAWE on Dedicated Server with Kerberos Delegation
  • LAB – Modify CAWE Enrollment Pages

Disaster Recovery

  • Scripting CA Backups
  • Manual Recovery of Issued Certificates Based on SMTP Exit Module Alerting
  • Authoritative AD Restore of ADCS components
  • LAB – Recover a Failed CA
  • LAB – Recover Issued Certificates Manually
  • LAB – CRL Re-signing for Availability

Certificate Services Reporting

  • CA Database Schema and Queries
  • Custom Reporting and Alerting
    • Expiring Certificates
    • Remaining SHA1 certificates
  • Powershell and Certutil cmdlets
  • LAB – Query CA Database and Send Email Alerts

Certificate Authority migrations

  • Compliance with Microsoft and Google Browser Requirements
  • Partial, Full, and Cross-Signed Migrations
  • Migrating Legacy CSP Keys to Key Storage Provider
  • LAB – Migrate CA to Server 2016
  • LAB – Migrate CA Key to KSP and Migrate from SHA1 to SHA2

Database Cleanup and Defragmentation

  • Identifying Bloated CA Databases
  • Pruning CA Database to Manage Size
  • Defragmentation and Database Whitespace Management
  • LAB – Clean and Defragment CA Database



Hacking OCSP for Near Real-time Revocation Details

  • Managing Caching Behavior on OCSP Clients
  • Managing Caching Behavior on OCSP Responder
  • Forced Purge of Cache and HTTP MaxAge
  • CRL Re-Sign for Short Term CRL based OCSP Responses
  • Calculating the OCSP Magic Number in Your Environment
  • Deterministic Results and Multi Certificate Queries
  • LAB – Deploy OCSP with 1 Hour Maximum Latency of Revocation

Key Recovery

  • Template and Security Requirements
  • KRA Best Practices and Key Controls
  • Identifying and Extracting Archived Keys
  • LAB – Archive and Recover Encryption Key for User

Keys and Templates

  • Correlating Certificates and Key Files
  • Managing and Repairing Keys
  • Modifying V1 templates
  • Changing Templates from User to Computer and vice versa
  • Kerberos Authentication Templates for Domain Controllers
  • LAB - Certificate and Key File Queries and Repairs
  • LAB – Exporting Non-Exportable Keys
  • LAB – Modify Hidden Template Properties
  • LAB – Deploy Kerberos Authentication Certificates and Verify

Code Signing

  • Creating and Issuing Code Signing Certificates
  • Time Stamping
  • Revocation
  • LAB – Code Signing Scripts and Executables

Restricted Enrollment Agents

  • Deploying High Security Certificates with Restricted Enrollment
  • Best Practices for Enrollment Agents
  • LAB – Manage and Issue Certificate with Restricted Enrollment Agents

Policy CAs

  • Enforcing Issuance Restrictions
  • LAB – Restricting Subordinate CA Issuance


There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

You may also like…