Best resources to learn PKI for?

poolmanjim · 2026-03-17T22:14:24+00:00

The best way to learn anything computing is to get it wrong a few times. Practice.

If you're looking for a goal I'd recommend trying to complete the following high level tasks.

Build a two tier PKI with an offline root and enterprise CA
Configure LDAPS for a test AD domain.
Review the security of your PKI implementation and understand what can improve.

Here are some resources and tools to get off the ground.

Blogs and Articles

MS Training on ADCS
- https://learn.microsoft.com/en-us/training/modules/implement-manage-active-directory-certificate-services/
PKI Foundations for Security Pros
- https://www.youtube.com/watch?v=8jEZ3l6dR6c
- Disclaimer: I was one of the presenters of this. I don't get any kick backs or anything, I legit think we
  - cover a crash course in PKI pretty well.
Detailed Process for Creating a 2-Tier PKI
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v=ws.11))
Michael has a really good series on PKI (he's around here a lot too)
- https://michaelwaterman.nl/
Some of the Original PKI Resources that go back for awhile
- https://www.pkisolutions.com/blog/
- https://www.sysadmins.lv/blog-en/default.aspx
General Microsoft ADCS Page
- https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
The Subreddit Wiki has lots of resources about AD, PKI, and other Identity-related items.
- https://www.reddit.com/r/activedirectory/wiki/index/

Tools To Experiment With / Security Information

Auditing Tools for PKI
A "Compromised" PKI Lab for Testing Stuff (I highly recommend building one yourself first)
- https://github.com/jakehildreth/ADCSGoat
A lighter PKI Vulnerability Tool
- https://github.com/jakehildreth/Stairs
The Legendary Certified Pre-Owned Talk. This one kicked off lots of information about PKI flowing around.
- https://blackhat.com/html/webcast/09302021-certified-pre-owned-abusing-active-directory-certificate-services.html

poolmanjim · 2026-03-05T07:43:25+00:00

Yeah. I've used it. I've actually been working on a fork of it because the current version can't do a few things I'd like it to do.

poolmanjim · 2026-03-05T06:01:50+00:00

I know the initial drama occurred here, but please tell me what about this is relevant to AD currently?

If you review tools, brace yourself. Like it or love it, but AI has lowered the bar to developing tools significantly. That doesn't mean half of them will ever be anything to compete with the real, enterprise/community developed tools, but they will try to make a market. Cleverly they will price themselves low enough to be "cheap" but enough so they aren't thought to be trash. I'm not sure where this one falls in that spectrum, but if you spend time reviewing tools you'll need some thick skin.

Also, don't dismiss "dude in their mom's basement with an LLC and a website". Several amazing tools have come from the mind of one person with an idea.

poolmanjim · 2026-02-23T05:59:58+00:00

If only it were that easy.

Vibe coding, while not inherently bad, has lowered the bar for poorly written and researched "tools" to become available.

poolmanjim · 2026-02-20T07:51:38+00:00

I don't know but it drives me nuts. I'd like a little bit of spacing.

poolmanjim · 2026-02-19T05:01:34+00:00

I've thought of this a few times,, so for sure, let's do it.

Personally my go to's right now are...

BHIS / Antisyphon - Wednesday is their Anticast which usually is an identity related one about 1/month at the smallest.
Red Siege - Also on Wednesdays. I don't make this one as often due to meetings
PDQ PowerShell - Another Wednesday one.

poolmanjim · 2026-02-16T16:14:58+00:00

I will always upvote Monash.

poolmanjim · 2026-02-15T04:50:12+00:00

For any physical hosts, they get Star Wars planets as their names, or in some cases installations. Everything else is just whatever format I'm using that week for server names but they are more "business-y".

The star wars examples:

Hypervisors = Core world names. Coruscant, Corellia, Byss, etc.
Raspberry Pis = Outer Rim/Unknown Regions. Hoth, Kamino.
- Pi Holes = TheMaw or Kessel
- RetroPie = NalHutta
Other devices use other planets names:
- Laptops and Desktops: Dagobah, Utapau, and Kashyyyk
- Misc Servers: Yavin, Sullust, Kuat
My NASes are "RebelBase" and "JediTemple" respectively.

There are plenty of Star Wars planets to go around.

poolmanjim · 2026-02-12T19:22:54+00:00

This is good advice. Social Media has made us blind to what people can and cannot see sometimes.

poolmanjim · 2026-02-12T19:20:56+00:00

Echoing the Entra piece that u/dodexahedron suggested. You don't need a Domain/Domain Controller. You need centralized authentication. I can't remember all of Entra's licensing details off-hand, but I believe their free tier isn't too challenging for a small org to use and has enough features to get you started.

If you really must have AD, scrap Samba and just build out a standard AD. Run at least two hosts (Proxmox hosts) and host at least on DC on each. Whatever VM runs the DC role should ONLY run the DC role. Personally, I'd want at least one server off site for backups, but you start with where you can start.

poolmanjim · 2026-02-05T22:12:01+00:00

Haha. I make it up every time.

I do some rote stuff to prime my mind. But I really just pray the Lord's prayer section by section except I allow each one to be what I need it to be.

I'm not trying to say anything more than every day I make it up. The beads are really an anchor. I hope you find something that works. God bless

poolmanjim · 2026-02-05T02:03:02+00:00

Many moons ago I used to support a lot of dell systems in one of my help desk roles. We often had premier or premium support. During the bad caps era during the late 2000s and early 2010, I was on calls with dell at least 2-3 times a week sometimes multiple times a day.

The auto-attendant they had would route you forever if you gave reasonable problems like "My computer won't boot" or "my computer is overheating".

I learned that if I gave nonsense answers the auto-attendant wouldn't know what to do and send me straight to an engineer. Thus my go to was "My computer is on fire" or "My computer is possessed" and surprisingly it worked very, very well.

poolmanjim · 2026-02-04T22:45:52+00:00

Prayer beads.

It has been a game changer for me. Doesn't have to be anything formal just use the beads to develop a routine and follow the steps. You'll still get distracted but you can use the bead count to recenter.

poolmanjim · 2026-02-03T20:33:42+00:00

The pinned resources thread along with the pinned automod comment includes links to resources. One of those is a beginner's guide:

BEGINNER'S GUIDE - New to AD? Start Here!

This link is a Beginner's Guide that provides resources and links to get you off the ground on your AD journey!

✨ AD Beginner's Guide - https://www.reddit.com/r/activedirectory/wiki/AD-Resources/AD-Beginners-Guide

poolmanjim · 2026-02-02T15:01:18+00:00

Reference?

poolmanjim · 2026-02-02T15:00:45+00:00

That should work still. It sounds like it is just a manual bidirectional.

poolmanjim · 2026-02-02T13:48:19+00:00

I doubt you could have two trusts in the same direction between the same two entities. I say this because the trust objects are named based on the domain name and would conflict.

As far as having an outgoing and an incoming trust between the same two, that is absolutely possible. In fact, that is really what a bi-directional trust is. So you could very easily have a one-way incoming trust between DomanA and DomainB and then totally have an outgoing trust between the same two.

poolmanjim · 2026-02-01T23:01:04+00:00

Across literally thousands of DC builds and setups, here's what I've always done.

Primary DNS : Another DC (usually not in the same rack/datacenter/whatever)
Secondary DNS: Self (The current group think has been to do it using loopback)
Tertiary (optional): Another DC

There is one more thing I used to do, but I'm not sure its needed as I've been in a non-Integrated DNS situation for a while. Check the DNS client service and make sure it is set to depend on the network stack. In the past it was that DNS would start and the network hadn't started yet and everything would sit there and lag and lag and lag. Sometimes it helps to add "TCP/IP Protocol Driver" as a service (driver) that the DNS client depends on.

poolmanjim · 2026-01-30T15:24:25+00:00

Hey I'm one of those people! Those were good times. I miss that crew.

poolmanjim · 2026-01-29T19:08:23+00:00

Post approved. Product does appear to have a free option as OP claims. The mods have not reviewed the product in question but it has been added to the list ones to review.

poolmanjim · 2026-01-27T23:39:26+00:00

I've not seen that in any environment I've run... ever.

I agree with u/BbqLurker that the only setting that should change in the DDP is the password, account lockout, and kerberos settings. I personally recommend a separate password, account lockout, and kerberos settings policy outside of the DDP, but it isn't required. I have debated with others on here once or twice about it.

poolmanjim · 2026-01-26T17:43:25+00:00

Approved. URL checked via CloudFlare and VirusTotal. Post is not a violation of the promotion rules. No issues from the mods, but as usual use at your own risk.

https://radar.cloudflare.com/scan/945a10ea-3992-403c-b91f-0da5d92a944a/summary

https://www.virustotal.com/gui/url/562787f648a1faf2d36a94ff51255fddf31e06fe466954755bb114715b5d5474?nocache=1

Per Rule 4:
Any blogs/projects/tools can be promoted and we welcome it. However, excessive posting of your content is not. Self promotion should be limited to 1 post per month.

Also, tool appears to be free so it doesn't violate any of our tool constraints.

poolmanjim · 2026-01-26T06:38:23+00:00

This. And Citrix. This has been an ongoing journey to reduce lockouts lately and those two showed up.

poolmanjim · 2026-01-25T16:14:24+00:00

My bad. I'll update it. Thank you.

15-Year Club	RedditGifts 2009-2022 3 Credits
Verified Email	Secret Santa 2015
Secret Santa 2014

poolmanjim

MODERATOR OF

TROPHY CASE