Job Title
Microsoft PKI / AD CS Specialist
Location
Maidenhead, United Kingdom
Position Type
Freelance/Contract
Experience Level
5 years.
Role Purpose
We are looking for an experienced Microsoft PKI / AD CS Specialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Key Responsibilities
Current-State PKI Assessment
* Review the existing on-premise Microsoft CA / AD CS configuration.
* Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies.
* Review certificate templates, issuance permissions, auto-enrolment settings and approval workflows.
* Assess CRL, OCSP, revocation checking and certificate chain availability.
* Review current server certificate usage across domain-joined, internal, SQL/SSRS and DMZ/workgroup servers.
* Identify current risks, gaps and improvement areas in certificate lifecycle management.
Target PKI Architecture
* Design a secure and supportable Microsoft PKI / AD CS target architecture.
* Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints.
* Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions.
* Define auto-enrolment patterns for domain-joined Windows servers.
* Define secure issuance and renewal options for non-domain-joined DMZ/workgroup servers.
* Recommend whether the existing CA can be reused, remediated or whether additional configuration is required.
* Produce practical design documentation suitable for infrastructure, security and operations teams.
Certificate Lifecycle and Automation
* Define certificate request, approval, issuance, deployment, renewal and revocation processes.
* Design GPO-based certificate auto-enrolment where appropriate.
* Advise on scripted or manual certificate issuance patterns where auto-enrolment is not suitable.
* Define monitoring and alerting requirements for expiring certificates.
* Support integration with operational processes, including change management, CAB, maintenance windows and service validation.
* Advise on whether third-party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient.
Security and Compliance
* Ensure the PKI design aligns with security best practice and audit expectations.
* Define auditable controls for certificate issuance, renewal, revocation and administrative access.
* Support ISO 27001-style evidence requirements, including proof that certificates are monitored, renewed and controlled.
* Identify and document risks associated with self-signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners.
* Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process.
Proof of Concept and Implementation Support
* Lead or support a PoC using selected non-production servers.
* Validate certificate enrolment and renewal for domain-joined servers.
* Support testing of certificate bindings for internal web services, SQL Server and SSRS.
* Validate trust chains, certificate stores, CRL accessibility and service connectivity.
* Produce implementation runbooks and operational handover materials.
* Support production rollout planning, including change records, test plans, rollback/fix-forward approach and post-change validation.
Required Skills and Experience
* Microsoft AD CS – Strong experience designing, configuring or assessing Microsoft Active Directory Certificate Services.
* Windows PKI – Strong understanding of PKI concepts, certificate chains, root/intermediate CAs, revocation, CRLs, OCSP and certificate templates.
* Active Directory – Strong understanding of AD, GPOs, domain-joined servers, permissions and security groups.
* Auto-enrolment – Practical experience with certificate auto-enrolment using Group Policy.
* Certificate templates – Ability to design and secure templates for server authentication and internal TLS use cases.
* Windows Server – Strong knowledge of certificate stores, service bindings and Windows Server security.
* Internal TLS – Experience securing internal server-to-server communication using CA-issued certificates.
* DMZ/workgroup servers – Experience designing certificate processes for non-domain-joined or isolated servers.
* Security governance – Familiarity with audit, evidence, vulnerability scanning and ISO 27001-style control expectations.
* Documentation – Ability to produce clear architecture, assessment, runbook and operational documentation.
Desirable Skills
* Experience with SQL Server and SSRS certificate requirements.
* Experience with IIS certificate bindings.
* Experience with load balancers, reverse proxies or DMZ certificate patterns.
* Experience with certificate lifecycle management tools.
* PowerShell scripting experience for certificate inventory, reporting or automation.
* Experience working in regulated, public sector or security-conscious environments.
* Knowledge of Entra ID application certificates and secrets would be useful, but is not the primary focus of this role.
* Experience supporting CAB/change-controlled production environments.
#J-18808-Ljbffr