Microsoft PKI / AD CS Specialist
Role Purpose
We are looking for an experienced Microsoft PKI / AD CS Specialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Requirements
Key Responsibilities
1. Current-State PKI Assessment
* Review the existing on-premise Microsoft CA / AD CS configuration.
* Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies.
* Review certificate templates, issuance permissions, auto-enrolment settings and approval workflows.
* Assess CRL, OCSP, revocation checking and certificate chain availability.
* Review current server certificate usage across domain-joined, internal, SQL/SSRS and DMZ/workgroup servers.
* Identify current risks, gaps and improvement areas in certificate lifecycle management.
-----------------------------------
2. Target PKI Architecture
* Design a secure and supportable Microsoft PKI / AD CS target architecture.
* Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints.
* Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions.
* Define auto-enrolment patterns for domain-joined Windows servers.
* Define secure issuance and renewal options for non-domain-joined DMZ/workgroup servers.
* Recommend whether the existing CA can be reused, remediated or whether additional configuration is required.
* Produce practical design documentation suitable for infrastructure, security and operations teams.
-----------------------------------
3. Certificate Lifecycle and Automation
* Define certificate request, approval, issuance, deployment, renewal and revocation processes.
* Design GPO-based certificate auto-enrolment where appropriate.
* Advise on scripted or manual certificate issuance patterns where auto-enrolment is not suitable.
* Define monitoring and alerting requirements for expiring certificates.
* Support integration with operational processes, including change management, CAB, maintenance windows and service validation.
* Advise on whether third-party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient.
-----------------------------------
4. Security and Compliance
* Ensure the PKI design aligns with security best practice and audit expectations.
* Define auditable controls for certificate issuance, renewal, revocation and administrative access.
* Support ISO 27001-style evidence requirements, including proof that certificates are monitored, renewed and controlled.
* Identify and document risks associated with self-signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners.
* Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process.
-----------------------------------
5. Proof of Concept and Implementation Support
* Lead or support a PoC using selected non-production servers.
* Validate certificate enrolment and renewal for domain-joined servers.
* Support testing of certificate bindings for internal web services, SQL Server and SSRS.
* Validate trust chains, certificate stores, CRL accessibility and service connectivity.
* Produce implementation runbooks and operational handover materials.
* Support production rollout planning, including change records, test plans, rollback/fix-forward approach and post-change validation.
-----------------------------------
Required Skills and Experience
The candidate should have strong hands-on and architectural experience in:
Area
Requirement
Microsoft AD CS
Strong experience designing, configuring or assessing Microsoft Active Directory Certificate Services.
Windows PKI
Strong understanding of PKI concepts, certificate chains, root/intermediate CAs, revocation, CRLs, OCSP and certificate templates.
Active Directory
Strong understanding of AD, GPOs, domain-joined servers, permissions and security groups.
Auto-enrolment
Practical experience with certificate auto-enrolment using Group Policy.
Certificate templates
Ability to design and secure templates for server authentication and internal TLS use cases.
Windows Server
Strong knowledge of certificate stores, service bindings and Windows Server security.
Internal TLS
Experience securing internal server-to-server communication using CA-issued certificates.
DMZ/workgroup servers
Experience designing certificate processes for non-domain-joined or isolated servers.
Security governance
Familiarity with audit, evidence, vulnerability scanning and ISO 27001-style control expectations.
Documentation
Ability to produce clear architecture, assessment, runbook and operational documentation.
-----------------------------------
Desirable Skills
* Experience with SQL Server and SSRS certificate requirements.
* Experience with IIS certificate bindings.
* Experience with load balancers, reverse proxies or DMZ certificate patterns.
* Experience with certificate lifecycle management tools.
* PowerShell scripting experience for certificate inventory, reporting or automation.
* Experience working in regulated, public sector or security-conscious environments.
* Knowledge of Entra ID application certificates and secrets would be useful, but is not the primary focus of this role.
* Experience supporting CAB/change-controlled production environments.