Microsoft ADCS Advanced Training


This course is recommended for anyone who has taken the PKI In-depth Training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with Certificate Services.

SKU: PKI Advanced Class - Open Enrollment Category:


All of our training courses are available for private delivery onsite at your organization. For a fixed fee accommodating up to 10 students, our private deliveries enable to you avoid employee travel, out of office issues and provides a schedule that meets your needs. Ask us for details on how to book a delivery.

This advanced PKI class focuses on hand-on labs and topics that build on existing Microsoft Active Directory Certificate Services (ADCS) and PKI knowledge of the student. Students will spend the majority of the class working on real-life scenarios in the lab ranging from deploying enrollment services, hacking OCSP for near real-time revocation checking, CA migrations, Certificate Authority migrations, disaster recovery scenarios, certificate reporting and CA database management. Advanced topics including code signing, key-pair file management and enrollment agents will also be covered.

Class audience: This course is recommended for anyone who has taken the PKI In-depth training class or is already familiar with Microsoft ADCS and is comfortable in a lab environment working with ADCS.

Course details: Download here.


Class syllabus

Network Device Enrollment Service

  • Installation and Security
  • Policy Module
  • Websites to support Multiple CAs
  • Modifying and Exploring CAWE Web Pages
  • LAB – Deploying CAWE on Dedicated Server with Kerberos Delegation
  • LAB – Modify CAWE Enrollment Pages

Disaster Recovery

  • Scripting CA Backups
  • Manual Recovery of Issued Certificates Based on SMTP Exit Module Alerting
  • Authoritative AD Restore of ADCS components
  • LAB – Recover a Failed CA
  • LAB – Recover Issued Certificates Manually
  • LAB – CRL Re-signing for Availability

Certificate Services Reporting

  • CA Database Schema and Queries
  • Custom Reporting and Alerting
    • Expiring Certificates
    • Remaining SHA1 certificates
  • Powershell and Certutil cmdlets
  • LAB – Query CA Database and Send Email Alerts

Certificate Authority migrations

  • Compliance with Microsoft and Google Browser Requirements
  • Partial, Full, and Cross-Signed Migrations
  • Migrating Legacy CSP Keys to Key Storage Provider
  • LAB – Migrate CA to Server 2016
  • LAB – Migrate CA Key to KSP and Migrate from SHA1 to SHA2

Database Cleanup and Defragmentation

  • Identifying Bloated CA Databases
  • Pruning CA Database to Manage Size
  • Defragmentation and Database Whitespace Management
  • LAB – Clean and Defragment CA Database

Hacking OCSP for Near Real-time Revocation Details

  • Managing Caching Behavior on OCSP Clients
  • Managing Caching Behavior on OCSP Responder
  • Forced Purge of Cache and HTTP MaxAge
  • CRL Re-Sign for Short Term CRL based OCSP Responses
  • Calculating the OCSP Magic Number in Your Environment
  • Deterministic Results and Multi Certificate Queries
  • LAB – Deploy OCSP with 1 Hour Maximum Latency of Revocation

Key Recovery

  • Template and Security Requirements
  • KRA Best Practices and Key Controls
  • Identifying and Extracting Archived Keys
  • LAB – Archive and Recover Encryption Key for User

Keys and Templates

  • Correlating Certificates and Key Files
  • Managing and Repairing Keys
  • Modifying V1 templates
  • Changing Templates from User to Computer and vice versa
  • Kerberos Authentication Templates for Domain Controllers
  • LAB - Certificate and Key File Queries and Repairs
  • LAB – Exporting Non-Exportable Keys
  • LAB – Modify Hidden Template Properties
  • LAB – Deploy Kerberos Authentication Certificates and Verify

Code Signing

  • Creating and Issuing Code Signing Certificates
  • Time Stamping
  • Revocation
  • LAB – Code Signing Scripts and Executables

Restricted Enrollment Agents

  • Deploying High Security Certificates with Restricted Enrollment
  • Best Practices for Enrollment Agents
  • LAB – Manage and Issue Certificate with Restricted Enrollment Agents

Policy CAs

  • Enforcing Issuance Restrictions
  • LAB – Restricting Subordinate CA Issuance

Training Locations

Our US training locations are primarily conducted at the following two locations in Portland Oregon and Washington DC.

portland location

Portland Oregon

1455 NW Irving St
Portland, Oregon 9209

DC location

Washington DC

137 National Plaza
Oxon Hill, MD 20745

3 reviews for Microsoft ADCS Advanced Training

  1. Avatar

    Lourdes Herling, Cyber Security Analyst, Nebraska Public Power District

    “The class definitely exceeded my expectations. My PKI knowledge has grown substantially. I plan on applying several of the concepts to our internal PKI. I will be recommending your courses to anyone who needs to increase their PKI knowledge.”

  2. Avatar

    William H. Knight, Sr. Systems Administrator, Deloitte

    “The class was excellent. The content was useful, detailed and as advanced as I was hoping it’d be. The hands-on labs were very well thought out, easy to understand and effectively linked the course content and lecture to actual implementation. Props to you for the cloud lab – it really enhanced the class!”

  3. Avatar

    Raymond Devine, solutions architect, Azure/AD/Office 365

    “He’s amazing and can communicate complex topics like PKI in terms anyone can understand.”

Only logged in customers who have purchased this product may leave a review.