Online Self-Paced Training

Microsoft ADCS Advanced

Screen Shot 2018-12-11 at 11.33.45 AM
Current Status
Not Enrolled
Pre-Sale $2,995
Get Started

This course is expected to be available in Q1, 2020. Register now as part of our pre-sale and you will be notified once the course is available for enrollment.

Course Description: This course will be delivered electronically in a self-paced environment. You will receive access to download the student materials, lab manual and supporting materials. The course will feature video, audio and slide based content. It will cover all of the same topics and lessons as our in-person courses.

This advanced PKI class focuses on hand-on labs and topics that build on existing Microsoft Active Directory Certificate Services (ADCS) and PKI knowledge of the student. Students will spend the majority of the class working on real-life scenarios in the lab ranging from deploying enrollment services, hacking OCSP for near real-time revocation checking, CA migrations, Certificate Authority migrations, disaster recovery scenarios, certificate reporting and CA database management. Advanced topics including code signing, key-pair file management and enrollment agents will also be covered.

Once enrolled, you will have unlimited access to the course material for 90 days to complete at your own pace. Corporate subscriptions are not time-limited.

Target Audience: This course is recommended for anyone who has taken the PKI In-depth training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with ADCS.


Network Device Enrollment Service

  • Installation and Security
  • Policy Module
  • Websites to support Multiple CAs
  • Modifying and Exploring CAWE Web Pages
  • LAB – Deploying CAWE on Dedicated Server with Kerberos Delegation
  • LAB – Modify CAWE Enrollment Pages

Disaster Recovery

  • Scripting CA Backups
  • Manual Recovery of Issued Certificates Based on SMTP Exit Module Alerting
  • Authoritative AD Restore of ADCS components
  • LAB – Recover a Failed CA
  • LAB – Recover Issued Certificates Manually
  • LAB – CRL Re-signing for Availability

Certificate Services Reporting

  • CA Database Schema and Queries
  • Custom Reporting and Alerting
    • Expiring Certificates
    • Remaining SHA1 certificates
  • Powershell and Certutil cmdlets
  • LAB – Query CA Database and Send Email Alerts

Certificate Authority migrations

  • Compliance with Microsoft and Google Browser Requirements
  • Partial, Full, and Cross-Signed Migrations
  • Migrating Legacy CSP Keys to Key Storage Provider
  • LAB – Migrate CA to Server 2016
  • LAB – Migrate CA Key to KSP and Migrate from SHA1 to SHA2

Database Cleanup and Defragmentation

  • Identifying Bloated CA Databases
  • Pruning CA Database to Manage Size
  • Defragmentation and Database Whitespace Management
  • LAB – Clean and Defragment CA Database

Hacking OCSP for Near Real-time Revocation Details

  • Managing Caching Behavior on OCSP Clients
  • Managing Caching Behavior on OCSP Responder
  • Forced Purge of Cache and HTTP MaxAge
  • CRL Re-Sign for Short Term CRL based OCSP Responses
  • Calculating the OCSP Magic Number in Your Environment
  • Deterministic Results and Multi Certificate Queries
  • LAB – Deploy OCSP with 1 Hour Maximum Latency of Revocation

Key Recovery

  • Template and Security Requirements
  • KRA Best Practices and Key Controls
  • Identifying and Extracting Archived Keys
  • LAB – Archive and Recover Encryption Key for User

Keys and Templates

  • Correlating Certificates and Key Files
  • Managing and Repairing Keys
  • Modifying V1 templates
  • Changing Templates from User to Computer and vice versa
  • Kerberos Authentication Templates for Domain Controllers
  • LAB – Certificate and Key File Queries and Repairs
  • LAB – Exporting Non-Exportable Keys
  • LAB – Modify Hidden Template Properties
  • LAB – Deploy Kerberos Authentication Certificates and Verify

Code Signing

  • Creating and Issuing Code Signing Certificates
  • Time Stamping
  • Revocation
  • LAB – Code Signing Scripts and Executables

Restricted Enrollment Agents

  • Deploying High Security Certificates with Restricted Enrollment
  • Best Practices for Enrollment Agents
  • LAB – Manage and Issue Certificate with Restricted Enrollment Agents

Policy CAs

  • Enforcing Issuance Restrictions
  • LAB – Restricting Subordinate CA Issuance

What Students are Saying

"The class was very informative and the labs especially useful. I have strongly recommended the class to others."

Manish Patel

Principal Professional Services Consultant, Gemalto

“I definitely walked away feeling empowered with knowledge.” 

Mike Gantert

Senior Information Security Analyst, Country Financial Security Services

“One of the best trainings I ever attended!”

Jim Bjurefeldt

Technical Specialist, Verisec

“The course was excellent and I enjoyed learning a lot from your class.”

Raj Nagalingam

CISSP, Partner Solution Architect, LinkedIn

About the Instructor


Mark B. Cooper, president and founder of PKI Solutions, has deep knowledge and experience in all things Public Key Infrastructure (PKI), including Microsoft Active Directory Certificate Services (ADCS) and PKI design and implementation. Mark has custom developed the PKI training courses and has led hundreds of PKI trainings around the world. Mark is known as “The PKI Guy” since his early days at Microsoft, where he was a senior engineer designing, implementing, and supporting ADCS environments for Microsoft’s largest customers.