Maidenhead, United Kingdom — Posted on 18/05/2026
Job Description
Microsoft PKI / AD CS Specialist
Role Purpose
We are looking for an experienced Microsoft PKI / AD CS Specialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Responsibilities
1. Current‑State PKI Assessment
o Review the existing on‑premise Microsoft CA / AD CS configuration.
o Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies.
o Review certificate templates, issuance permissions, auto‑enrolment settings and approval workflows.
o Assess CRL, OCSP, revocation checking and certificate chain availability.
o Review current server certificate usage across domain‑joined, internal, SQL/SSRS and DMZ/workgroup servers.
o Identify current risks, gaps and improvement areas in certificate lifecycle management.
2. Target PKI Architecture
o Design a secure and supportable Microsoft PKI / AD CS target architecture.
o Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints.
o Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions.
o Define auto‑enrolment patterns for domain‑joined Windows servers.
o Define secure issuance and renewal options for non‑domain‑joined DMZ/workgroup servers.
o Recommend whether the existing CA can be reused, remediated or additional configuration is required.
o Produce practical design documentation suitable for infrastructure, security and operations teams.
3. Certificate Lifecycle and Automation
o Define certificate request, approval, issuance, deployment, renewal and revocation processes.
o Design GPO‑based certificate auto‑enrolment where appropriate.
o Advise on scripted or manual certificate issuance patterns where auto‑enrolment is not suitable.
o Define monitoring and alerting requirements for expiring certificates.
o Support integration with operational processes, including change management, CAB, maintenance windows and service validation.
o Advise on whether third‑party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient.
4. Security and Compliance
o Ensure the PKI design aligns with security best practice and audit expectations.
o Define auditable controls for certificate issuance, renewal, revocation and administrative access.
o Support ISO 27001‑style evidence requirements, including proof that certificates are monitored, renewed and controlled.
o Identify and document risks associated with self‑signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners.
o Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process.
5. Proof of Concept and Implementation Support
o Lead or support a PoC using selected non‑production servers.
o Validate certificate enrolment and renewal for domain‑joined servers.
o Support testing of certificate bindings for internal web services, SQL Server and SSRS.
o Validate trust chains, certificate stores, CRL accessibility and service connectivity.
o Produce implementation runbooks and operational handover materials.
o Support production rollout planning, including change records, test plans, rollback/fix‑forward approach and post‑change validation.
#J-18808-Ljbffr