Any recommendations on advanced PKI Training? I've taken the "Designing and Managing a Microsoft Windows Public Key Infrastructure" course however it doesn't go into great detail on the many intricacies of PKI (ie. certificate policies, custom application policies, CTL's, etc.). Any suggestion are appreciated.

1. I would advice to read Brian's book: http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us this is mandatory for any Windows PKI administrator. 2. You may want to revisit Windows PKI team's blog at http://blogs.technet.com/b/pki and Directory Services support blog: http://blogs.technet.com/b/askds 3. Take a look for this article: http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx 4. since you have at least basic background this book will extend your knowledge. Also don't forget to check for official whitepapers and RFCs. For example RFC5280 is the only document (as far as I know) that fully describes how policy constraints works. 5. For advanced details you should refer to MS communication protocols like MS-CASO, MS-CAESO, MS-CSRA, MS-WCCE, MS-XCEP, MS-WSTEP, MS-OCSP, MS-OCSPA and so on. Even if these documents are needed for developers there are many Windows-scpecific implementation topics. However this will require advanced knowledge about Windows PKI. This is not a definitive way, but just how I learned (and still learning) PKI.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

1. I would advice to read Brian's book: http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us this is mandatory for any Windows PKI administrator. 2. You may want to revisit Windows PKI team's blog at http://blogs.technet.com/b/pki and Directory Services support blog: http://blogs.technet.com/b/askds 3. Take a look for this article: http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx 4. since you have at least basic background this book will extend your knowledge. Also don't forget to check for official whitepapers and RFCs. For example RFC5280 is the only document (as far as I know) that fully describes how policy constraints works. 5. For advanced details you should refer to MS communication protocols like MS-CASO, MS-CAESO, MS-CSRA, MS-WCCE, MS-XCEP, MS-WSTEP, MS-OCSP, MS-OCSPA and so on. Even if these documents are needed for developers there are many Windows-scpecific implementation topics. However this will require advanced knowledge about Windows PKI. This is not a definitive way, but just how I learned (and still learning) PKI. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com I find it very shameful that MS doesnt provide a reasonable and most importantly a current revision of its own PKI training. The only single training I found in this topic is the "Course 2821A: Deploying and Managing a Public Key Infrastructure" that is based on 10 year old technology (windows 2003), and also fails to describe the complex situations. Rookies trained in this simple lab environment trainings always fail badly when they face the complex systems in the real world. Also, nearly all the MS products on the market today use some kind of PKI. And still there is no proper self-paced learning book about this technology at all! Apart from that book of Brian's. But that wasnt written for novice admins, it was written for experts who want to become Gurus. There is nothing to read and understand for beginners. Technet articles on the other hand are usually terrible to give you proper overviews of fundamentals of the technology. These articles focus most of the time on specific tasks, how to next-next-finish configure some feature, without any single explanation why you are actually configuring that thing. A proper written book cannot be substituted with those cheap technet articles. Blogs and wikis as another source of information are not usable for rookies, the only single reason: the content is not organized, but scattered as hell. Wikis and blogs are only useful for experts to gain additional knowledge towards the guru level.

> I find it very shameful that MS doesnt provide a reasonable and most importantly a current revision of its own PKI training. The only single training I found in this topic is the "Course 2821A: Deploying and Managing a Public Key Infrastructure" that is based on 10 year old technology (windows 2003) MS doesn't provide a lot of training courses. Many training courses are writted by MCTs. For example, mentioned Course 2821A was written by Brian Komar. Since PKI is just a service, like DFS, DHCP or DNS, it is included as a part of security-oriented training courses (for example, PKI was a part of 70-298 and 70-299 exams for Windows Server 2003). On the other hand, PKI fundamentals weren't changed and most of 2821A course is still actual. For new improvements (for example, OCSP service, enrollment web services) there are official whitepepers with contents for beginners and advanced administrators. Also there is a Brian's book that gives fundamental deeper. > and also fails to describe the complex situations. Rookies trained in this simple lab environment trainings always fail badly when they face the complex systems in the real world. I understand you. I haven't answer for this. > Technet articles on the other hand are usually terrible to give you proper overviews of fundamentals of the technology agree, fundamentals on TechNet are not the best . Therefore I would recommend to get them from Brian's book. To be honest, I started my experience in PKI with Brian's book. I read it twice to get proper vision of large picture. Then I started to read other whitepapers (not single articles, they are BS) which describes certain technology: certificate chaining engine, key archival, autoenrollment and so on. After that I started to read some hardcore stuff like communication protocol specifications (500+ level) and RFC. However this necessary only for IT Pros who works mainly only with PKI and security. For the rest, official whitepapers are enough. Eventually, you always can ask your question here, in forums. > Blogs and wikis as another source of information are not usable for rookies, the only single reason: the content is not organized, but scattered as hell agree again.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Maybe its time for me to create a public offering course. I am thinking of an intro and advanced course All materials based on my to-be-written 2012 book Would that be of interest? Brian

Maybe its time for me to create a public offering course. I am thinking of an intro and advanced course All materials based on my to-be-written 2012 book Would that be of interest? Brian Hi Brian, I cannot do any commitment on my side, but I'd surprised if there wasnt a huge demand on this topic worldwide.

I definitely agree. The courses out there now do little to address the intricacies of PKI. I'd love to see a class that demonstrates how to build a PKI with a Root, Policy, and Issuing CAs. Talk about what to include in an install INF and why. Maybe touch on Certificate Practice Standards documents, CRL publication tips and tricks, Hardware Security Modules. How and when to build custom certificate templates is also a must (don't just focus on the built in ones.) Bryan

I promised to myself that I'll read Brian's PKI book, as I have a couple of fundamental questions and want to see if that book contains chapters properly written to answer them. I think I will be able to write a proper review about that sometime.

I would definitely find this helpful. As the newly anointed PKI administrator for our company finding a place to start is rather daunting. Being a certificate user for many years I understand a lot of the basics, but going from there, to being responsible for the cert security for a large company is pretty major gap if I'm supposed to glean this from technet.