The Best TLS and PKI Training

Spend four half-days to understand both the theory and practice of SSL/TLS and Internet PKI

Designed by Ivan Ristić, the author of the much acclaimed Bulletproof SSL and TLS, this practical training course will teach you how to deploy secure servers and encrypted web applications and understand both the theory and practice of Internet PKI.

The course is taught in small classes. Currently delivered remotely, over four half-days. Also available as a private option for in-house teams.

This training is also available as a private option for in-house teams.
Email us for more details.

May 10-13, EMEA/PAC

May 17-20, US/Can

Training over four half-days - 3.5 hours a day

Book EMEA/Pacific (May) Book US/Can (May)

Why This Course is for You

  • Understand threats and attacks against encryption
  • Identify real risks that apply to your systems
  • Deploy servers with strong private keys and valid certificates
  • Deploy TLS configurations with strong encryption and forward secrecy
  • Understand higher-level attacks against web applications
  • Use the latest defence technologies, such as HSTS, CSP, and HPKP
  • Learn about key PKI standards and formats
  • Understand where practice differs from theory
  • Analyze certificate lifecycle in detail
  • Evaluate PKI weaknesses and how they affect you
  • Deploy robust protection using public key pinning
  • Learn about what's coming in the future

Course Outline

On day 1, we’ll focus on what you need in your daily work to deliver best security, availability and performance. And you will learn how to get an A+ on SSL Labs! On day 2, we will start with the basics and the theory, then discuss how the PKI is implemented in the real world, and finish with a practical example of a realistic private certification authority.

Day 1: The Best TLS Training in the World

  1. Introduction
    1. The need for network encryption
    2. Understanding encrypted communication
    3. The role of public key infrastructure (PKI)
    4. SSL/TLS and Internet PKI threat model
  2. Keys and certificates
    1. RSA and ECDSA: selecting key algorithm and size
    2. Certificate hostnames and lifetime
    3. Practical work:
      1. Private key generation
      2. Certificate Signing Request (CSR) generation
      3. Self-signed certificates
      4. Obtaining valid certificates from Let’s Encrypt
    4. Sidebar: Revocation
  3. Protocols and cipher suites
    1. Protocol security
    2. Key exchange strength
    3. Forward security
    4. Cipher suite configuration
    5. Practical work:
      1. Secure web server configuration
      2. Server testing using SSL Labs
    6. Sidebar: Server Name indication (SNI)
    7. Sidebar: Performance considerations
  4. HTTPS topics
    1. Man in the middle attacks
    2. Mixed content
    3. Cookie security
    4. CRIME: Information leakage via compression
    5. HTTP Strict Transport Security
    6. Content Security Policy
    7. HTTP Public Key Pinning
    8. Practical work:
      1. Deploying HSTS to deploy robust encryption
      2. Deploying CSP to deal with mixed content
  5. Putting it all together: Getting an A+ on SSL Labs

Day 2: Internet PKI in Depth

  1. Introduction
  2. Standards
    1. X.509 certificates
    2. Certificate chains
    3. Name constraints
    4. Trust path building
    5. Validation process
  3. Internet PKI
    1. Certification Authorities
    2. Relying parties
    3. Certificate types (DV, EV, OV)
    4. Certificate lifecycle (validation, issuance, and revocation)
    5. CA/B Forum and its standards
    6. Weaknesses
    7. History of attacks
  4. Revocation
    1. CRL
    2. OCSP
    3. OCSP stapling
    4. CRLsets and OneCRL
    5. Short-lived certificates
  5. Defenses
    1. Certification Authority Authorization (CAA)
    2. Public Key Pinning
      1. Static pinning
      2. HPKP
      3. DNSSEC/DANE
  6. Certificate Transparency
  7. PKI ecosystem monitoring
    1. SSL Pulse
    2. Censys
  8. Project: Building and deploying a realistic private CA

We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.

Meet the Trainer

Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both.

Founder of, a free CSP report collection service, and, a free security analyser, Scott has a tendency to always be involved in building something new and exciting.

Meet the Author

Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.

He is the author of three books, Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS, which he publishes via Feisty Duck, his own platform for continuous writing and publishing. Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. His latest project, Hardenize, is a security posture analysis service that makes security fun again.


“Very well structured and full of information. Made the subject of TLS genuinely exciting to learn. The quality of the material, the exercises and the handouts was some of the best I've ever seen.”

Chris Bell, Fujitsu

“Real world examples mixed with hands-on experience. An excellent speaker, engaging stories and kept my attention all four days, in the world of Zoom in 2020, that is amazing!”

Steve Niemczyk, Salesforce

“Very knowledgeable and engaging. Great content, useful lab exercises. Good mix of theory and practical.”

Scott Oakley, HSBC

Free Book: Bulletproof SSL and TLS

About a month prior to the course we'll send you a digital copy of Bulletproof SSL and TLS, our comprehensive guide to SSL/TLS and Internet PKI. You'll get the paper copy on the day. We'll also give you a bunch of exercises and a hardcopy of the slides.

What You Need to Know

Course information

Level: Intermediate

Duration (classroom): 2 days

Duration (remote): 4 days, 3.5 hours a day

Target audience

This course is for system administrators, developers, and IT security professionals, who want to learn how to protect their systems from eavesdropping and impersonation attacks.


  • Basic Linux command line skills: moving about, invoking commands, editing configuration files.
  • A laptop with a SSH client, which you will only need to connect to your assigned virtual server.
  • You should be comfortable using a Unix editor.

We'll provide you with your own virtual server and a sample web application to work on throughout the course.

In-house Training

This course is also available as an on-site option. Please contact us for more information.

Remote Training

Remote training takes place over four half-days (3.5 hours a day). The training materials and the program are identical to the classroom training. We will provide you with the digital training materials, digital copy of Bulletproof SSL and TLS, and your own virtual server on which you will do the exercises. The training will be delivered via Zoom.

In addition to public remote trainings, this option is available for in-house teams. Contact us if you require more information!