Microsoft PKI / AD CS Specialist (Contract/Freelance)
Windsor and Maidenhead, United Kingdom | Posted on 18/05/2026
VE3 is a technology and business consultancyfocused on delivering end-to-end technology solutions and products. We havesuccessfully serviced enterprises across multiple markets, including the publicand private sectors. Our services span all aspects of business, providing aholistic approach to managing an organization. We are committed to providingtechnical innovations and tools that empower organizations with criticalinformation to facilitate decision-making that results in businesstransformation through cost savings and increased operational efficiency. Ourcommitment to quality is adopted throughout the organization and sets thefoundation for delivering our full suite of capabilities.
Job Description
Microsoft PKI / AD CS Specialist (Contract/Freelance)
Role Purpose
We are looking for an experienced Microsoft PKI / AD CSSpecialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Requirements
Key Responsibilities
1. Current-State PKIAssessment
* Review the existing on-premise Microsoft CA/ AD CS configuration.
* Assess CA hierarchy, root/intermediate CAdesign, issuing CA configuration and certificate policies.
* Review certificate templates, issuancepermissions, auto-enrolment settings and approval workflows.
* Assess CRL, OCSP, revocation checking andcertificate chain availability.
* Review current server certificate usageacross domain-joined, internal, SQL/SSRS and DMZ/workgroup servers.
* Identify current risks, gaps and improvementareas in certificate lifecycle management.
2. Target PKIArchitecture
* Design a secure and supportable MicrosoftPKI / AD CS target architecture.
* Define certificate templates for internalserver authentication, SQL Server, SSRS, application portals and internalHTTPS endpoints.
* Define certificate validity periods, renewalperiods, key lengths, algorithms, SAN naming standards and subject namingconventions.
* Define auto-enrolment patterns fordomain-joined Windows servers.
* Define secure issuance and renewal optionsfor non-domain-joined DMZ/workgroup servers.
* Recommend whether the existing CA can bereused, remediated or whether additional configuration is required.
* Produce practical design documentationsuitable for infrastructure, security and operations teams.
3. CertificateLifecycle and Automation
* Define certificate request, approval,issuance, deployment, renewal and revocation processes.
* Design GPO-based certificate auto-enrolmentwhere appropriate.
* Advise on scripted or manual certificateissuance patterns where auto-enrolment is not suitable.
* Define monitoring and alerting requirementsfor expiring certificates.
* Support integration with operationalprocesses, including change management, CAB, maintenance windows andservice validation.
* Advise on whether third-party certificatelifecycle tools are required or whether native Microsoft capabilities aresufficient.
4. Security andCompliance
* Ensure the PKI design aligns with securitybest practice and audit expectations.
* Define auditable controls for certificateissuance, renewal, revocation and administrative access.
* Support ISO 27001-style evidencerequirements, including proof that certificates are monitored, renewed andcontrolled.
* Identify and document risks associated withself-signed certificates, public wildcard certificate reuse, weakcryptography, unmanaged certificates and orphaned certificate owners.
* Produce an exception handling model forsystems that cannot follow the standard certificate lifecycle process.
5. Proof of Conceptand Implementation Support
* Lead or support a PoC using selectednon-production servers.
* Validate certificate enrolment and renewalfor domain-joined servers.
* Support testing of certificate bindings forinternal web services, SQL Server and SSRS.
* Validate trust chains, certificate stores,CRL accessibility and service connectivity.
* Produce implementation runbooks andoperational handover materials.
* Support production rollout planning,including change records, test plans, rollback/fix-forward approach andpost-change validation.
Required Skills andExperience
The candidate shouldhave strong hands-on and architectural experience in:
Area
Requirement
Microsoft AD CS
Strong experiencedesigning, configuring or assessing Microsoft Active Directory CertificateServices.
Windows PKI
Strong understandingof PKI concepts, certificate chains, root/intermediate CAs, revocation, CRLs,OCSP and certificate templates.
Active Directory
Strong understandingof AD, GPOs, domain-joined servers, permissions and security groups.
Practical experiencewith certificate auto-enrolment using Group Policy.
Certificate templates
Ability to design andsecure templates for server authentication and internal TLS use cases.
Windows Server
Strong knowledge ofcertificate stores, service bindings and Windows Server security.
Internal TLS
Experience securinginternal server-to-server communication using CA-issued certificates.
DMZ/workgroup servers
Experience designingcertificate processes for non-domain-joined or isolated servers.
Security governance
Familiarity withaudit, evidence, vulnerability scanning and ISO 27001-style controlexpectations.
Documentation
Ability to produceclear architecture, assessment, runbook and operational documentation.
* Experience with SQL Server and SSRScertificate requirements.
* Experience with IIS certificate bindings.
* Experience with load balancers, reverseproxies or DMZ certificate patterns.
* Experience with certificate lifecyclemanagement tools.
* PowerShell scripting experience forcertificate inventory, reporting or automation.
* Experience working in regulated, publicsector or security-conscious environments.
* Knowledge of Entra ID applicationcertificates and secrets would be useful, but is not the primary focus ofthis role.
* Experience supporting CAB/change-controlledproduction environments.
#J-18808-Ljbffr