This course is available as part of The Best TLS Training in the World.

Internet PKI in Depth

Spend a full day to understand both
the theory and practice of Internet PKI

Based on the book Bulletproof SSL and TLS. We’ll start with the basics and the theory, then discuss how the PKI is implemented in the real world, and finish with a practical example of a realistic private certification authority. You will learn methods which you can easily replicate in your own work.

We prefer small class sizes and never overbook. This course is also available as an on-site option.


Why This Course is for You

  • Learn about key PKI standards and formats
  • Understand where practice differs from theory
  • Analyze certificate lifecycle in detail
  • Evaluate PKI weaknesses and how they affect you
  • Deploy robust protection using public key pinning
  • Learn about what's coming in the future
  • Practise what you've learned

By the end of the day you will have built a fully-functioning private CA—with multiple intermediate CAs and revocation—using a method that you can easily replicate.

Course Outline

  1. Introduction
  2. Standards
    1. X.509 certificates
    2. Certificate chains
    3. Name constraints
    4. Trust path building
    5. Validation process
  3. Internet PKI
    1. Certification Authorities
    2. Relying parties
    3. Certificate types (DV, EV, OV)
    4. Certificate lifecycle (validation, issuance, and revocation)
    5. CA/B Forum and its standards
    6. Weaknesses
    7. History of attacks
  4. Revocation
    1. CRL
    2. OCSP
    3. OCSP stapling
    4. CRLsets and OneCRL
    5. Short-lived certificates
  5. Defenses
    1. Certification Authority Authorization (CAA)
    2. Public Key Pinning
      1. Static pinning
      2. HPKP
      3. DNSSEC/DANE
  6. Certificate Transparency
  7. PKI ecosystem monitoring
    1. SSL Pulse
    2. Censys
  8. Project: Building and deploying a realistic private CA

Meet the Author

Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.

He is the author of three books, Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He is currently working on his latest exciting project called Hardenize.


Location: CodeNode, 10 South Place, London, EC2M 7EB

Level: Intermediate

Duration: 1 day

Extras: Lunch and refreshments included

Free Book: Bulletproof SSL and TLS

About a month prior to the course we'll send you a digital copy of Bulletproof SSL and TLS, our comprehensive guide to SSL/TLS and Internet PKI. You'll get the paper copy on the day. We'll also give you a bunch of exercises and a hardcopy of the slides.

What You Need to Know

Target audience

This course is for system administrators, developers, and IT security professionals who wish to learn the theory and practice of Internet PKI.


  • Basic Linux command line skills: moving about, invoking commands, editing configuration files.
  • A laptop with a modern browser (Chrome or Firefox) and a SSH client, which you will only need to connect to your assigned virtual server.
  • You should be comfortable using a command-line editor.

We'll provide you with your own virtual server and a sample web application to work on throughout the course.

In-house Training

This course is also available as an on-site option. Please contact us for more information.