{ “@context”: “http://schema.org”, “@type”: “JobPosting”, “title”: “Microsoft PKI / AD CS Specialist”, “description”: “
Maidenhead, United Kingdom — Posted on 18/05/2026
Job Description
Microsoft PKI / AD CS Specialist
Role Purpose
We are looking for an experienced Microsoft PKI / AD CS Specialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Responsibilities
- Current‑State PKI Assessment
- Review the existing on‑premise Microsoft CA / AD CS configuration.
- Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies.
- Review certificate templates, issuance permissions, auto‑enrolment settings and approval workflows.
- Assess CRL, OCSP, revocation checking and certificate chain availability.
- Review current server certificate usage across domain‑joined, internal, SQL/SSRS and DMZ/workgroup servers.
- Identify current risks, gaps and improvement areas in certificate lifecycle management.
- Target PKI Architecture
- Design a secure and supportable Microsoft PKI / AD CS target architecture.
- Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints.
- Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions.
- Define auto‑enrolment patterns for domain‑joined Windows servers.
- Define secure issuance and renewal options for non‑domain‑joined DMZ/workgroup servers.
- Recommend whether the existing CA can be reused, remediated or additional configuration is required.
- Produce practical design documentation suitable for infrastructure, security and operations teams.
- Certificate Lifecycle and Automation
- Define certificate request, approval, issuance, deployment, renewal and revocation processes.
- Design GPO‑based certificate auto‑enrolment where appropriate.
- Advise on scripted or manual certificate issuance patterns where auto‑enrolment is not suitable.
- Define monitoring and alerting requirements for expiring certificates.
- Support integration with operational processes, including change management, CAB, maintenance windows and service validation.
- Advise on whether third‑party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient.
- Security and Compliance
- Ensure the PKI design aligns with security best practice and audit expectations.
- Define auditable controls for certificate issuance, renewal, revocation and administrative access.
- Support ISO 27001‑style evidence requirements, including proof that certificates are monitored, renewed and controlled.
- Identify and document risks associated with self‑signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners.
- Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process.
- Proof of Concept and Implementation Support
- Lead or support a PoC using selected non‑production servers.
- Validate certificate enrolment and renewal for domain‑joined servers.
- Support testing of certificate bindings for internal web services, SQL Server and SSRS.
- Validate trust chains, certificate stores, CRL accessibility and service connectivity.
- Produce implementation runbooks and operational handover materials.
- Support production rollout planning, including change records, test plans, rollback/fix‑forward approach and post‑change validation.
Company: VE3
Location: Maidenhead
Job Description:
Maidenhead, United Kingdom — Posted on 18/05/2026
Job Description
Microsoft PKI / AD CS Specialist
Role Purpose
We are looking for an experienced Microsoft PKI / AD CS Specialist to assess, design and support implementation of an on-premise certificate lifecycle management solution for a Microsoft-based enterprise environment.
Responsibilities
- Current‑State PKI Assessment
- Review the existing on‑premise Microsoft CA / AD CS configuration.
- Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies.
- Review certificate templates, issuance permissions, auto‑enrolment settings and approval workflows.
- Assess CRL, OCSP, revocation checking and certificate chain availability.
- Review current server certificate usage across domain‑joined, internal, SQL/SSRS and DMZ/workgroup servers.
- Identify current risks, gaps and improvement areas in certificate lifecycle management.
- Target PKI Architecture
- Design a secure and supportable Microsoft PKI / AD CS target architecture.
- Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints.
- Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions.
- Define auto‑enrolment patterns for domain‑joined Windows servers.
- Define secure issuance and renewal options for non‑domain‑joined DMZ/workgroup servers.
- Recommend whether the existing CA can be reused, remediated or additional configuration is required.
- Produce practical design documentation suitable for infrastructure, security and operations teams.
- Certificate Lifecycle and Automation
- Define certificate request, approval, issuance, deployment, renewal and revocation processes.
- Design GPO‑based certificate auto‑enrolment where appropriate.
- Advise on scripted or manual certificate issuance patterns where auto‑enrolment is not suitable.
- Define monitoring and alerting requirements for expiring certificates.
- Support integration with operational processes, including change management, CAB, maintenance windows and service validation.
- Advise on whether third‑party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient.
- Security and Compliance
- Ensure the PKI design aligns with security best practice and audit expectations.
- Define auditable controls for certificate issuance, renewal, revocation and administrative access.
- Support ISO 27001‑style evidence requirements, including proof that certificates are monitored, renewed and controlled.
- Identify and document risks associated with self‑signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners.
- Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process.
- Proof of Concept and Implementation Support
- Lead or support a PoC using selected non‑production servers.
- Validate certificate enrolment and renewal for domain‑joined servers.
- Support testing of certificate bindings for internal web services, SQL Server and SSRS.
- Validate trust chains, certificate stores, CRL accessibility and service connectivity.
- Produce implementation runbooks and operational handover materials.
- Support production rollout planning, including change records, test plans, rollback/fix‑forward approach and post‑change validation.
#J-18808-Ljbffr…
Posted: May 21st, 2026