Key Responsibilities 

1. Current-State PKI Assessment 

• Review the existing on-premise Microsoft CA / AD CS configuration. 

• Assess CA hierarchy, root/intermediate CA design, issuing CA configuration and certificate policies. 

• Review certificate templates, issuance permissions, auto-enrolment settings and approval workflows. 

• Assess CRL, OCSP, revocation checking and certificate chain availability. 

• Review current server certificate usage across domain-joined, internal, SQL/SSRS and DMZ/workgroup servers. 

• Identify current risks, gaps and improvement areas in certificate lifecycle management. 

2. Target PKI Architecture 

• Design a secure and supportable Microsoft PKI / AD CS target architecture. 

• Define certificate templates for internal server authentication, SQL Server, SSRS, application portals and internal HTTPS endpoints. 

• Define certificate validity periods, renewal periods, key lengths, algorithms, SAN naming standards and subject naming conventions. 

• Define auto-enrolment patterns for domain-joined Windows servers. 

• Define secure issuance and renewal options for non-domain-joined DMZ/workgroup servers. 

• Recommend whether the existing CA can be reused, remediated or whether additional configuration is required. 

• Produce practical design documentation suitable for infrastructure, security and operations teams. 

3. Certificate Lifecycle and Automation 

• Define certificate request, approval, issuance, deployment, renewal and revocation processes. 

• Design GPO-based certificate auto-enrolment where appropriate. 

• Advise on scripted or manual certificate issuance patterns where auto-enrolment is not suitable. 

• Define monitoring and alerting requirements for expiring certificates. 

• Support integration with operational processes, including change management, CAB, maintenance windows and service validation. 

• Advise on whether third-party certificate lifecycle tools are required or whether native Microsoft capabilities are sufficient. 

4. Security and Compliance 

• Ensure the PKI design aligns with security best practice and audit expectations. 

• Define auditable controls for certificate issuance, renewal, revocation and administrative access. 

• Support ISO 27001-style evidence requirements, including proof that certificates are monitored, renewed and controlled. 

• Identify and document risks associated with self-signed certificates, public wildcard certificate reuse, weak cryptography, unmanaged certificates and orphaned certificate owners. 

• Produce an exception handling model for systems that cannot follow the standard certificate lifecycle process. 

5. Proof of Concept and Implementation Support 

• Lead or support a PoC using selected non-production servers. 

• Validate certificate enrolment and renewal for domain-joined servers. 

• Support testing of certificate bindings for internal web services, SQL Server and SSRS. 

• Validate trust chains, certificate stores, CRL accessibility and service connectivity. 

• Produce implementation runbooks and operational handover materials. 

• Support production rollout planning, including change records, test plans, rollback/fix-forward approach and post-change validation.