PKI Mastery Roadmap (12-Week Study Guide)

A weekly study guide for enterprise PKI work with Venafi + Axiad + DigiCert, plus enrollment proxies and CRL infrastructure. Designed for steady progress toward full independence.

How to use this

• Plan for ~6 focused hours per week (scale up/down as needed).
• Each week has: learn → hands-on → milestone.
• If your work week is chaotic, do the hands-on portion first.

Week 1 — PKI fundamentals, trust chains, certificate anatomy

Learn

• Certificate fields: Subject, Issuer, SAN, Key Usage, EKU, validity, serial.
• Trust chains: root → intermediate → leaf.
• What “validation” means: chain building + time validity + revocation checks.

Hands-on

• Inspect certs on Windows using certutil and the Certificates MMC.
• Build a small lab PKI (root + issuing CA) and issue a test cert.

Milestone

• You can explain why a cert is valid/invalid without vendor tooling.
• You can trace a chain from leaf → root and describe each link.

Week 2 — Enrollment and templates

Learn

• Enrollment concepts: CSR, proof-of-possession, identity binding.
• Enrollment protocols: SCEP, EST, ACME (what they do and when used).
• Template/policy concepts: EKU, key size/type, SAN rules, validity.

Hands-on

• Issue a certificate via a defined policy/template in a lab.
• Break enrollment (permissions/EKU/SAN mismatch) and fix it.

Milestone

• You can describe enrollment end-to-end and pinpoint where failures occur.

Week 3 — Auto-enrollment proxies and enrollment flow troubleshooting

Learn

• What an enrollment proxy does in your environment (control point, routing, auth, policy enforcement).
• Common failure buckets: auth, routing/DNS, policy mismatch, key generation, connectivity, trust.
• Where evidence lives: system logs, proxy logs, client logs, network traces.

Hands-on

• Map the flow: client → proxy → issuing endpoint → response → installation.
• Capture a request/response with a network trace and identify the failure step.

Milestone

• You can troubleshoot enrollment by step (not by guesswork).

Week 4 — CRL distribution, OCSP, revocation architecture

Learn

• CRL basics: thisUpdate/nextUpdate, full vs delta CRLs, signing.
• CDP/AIA concepts and why clients care.
• OCSP basics and when it matters.
• Client behavior: caching, timeouts, “soft-fail” vs “hard-fail” scenarios.

Hands-on

• Host a CRL on a web server in a lab and validate download + parsing.
• Simulate CRL failure (404/timeout/expired CRL) and observe validation impact.

Milestone

• You can explain exactly what happens when CRLs break and how to verify recovery.

Week 5 — Venafi fundamentals: policy folders, inheritance, permissions

Learn

• Folder hierarchy and policy inheritance model.
• Permissioning model (groups, roles, inheritance boundaries).
• How policy maps to certificate requirements (naming, key type, SAN rules, etc.).

Hands-on

• Create a policy folder, apply policy, assign group permissions, validate inheritance.
• Document the exact steps your microservice automates (inputs → actions → outputs).

Milestone

• You can reason about “why this policy folder behaves like this” without tribal knowledge.

Week 6 — Venafi automation and API proficiency

Learn

• Venafi API basics: auth, common endpoints, error handling patterns.
• Operational tasks you should automate: folder creation, permissions, metadata, reporting.

Hands-on

• Write a script (PowerShell or Python) to create a policy folder + apply permissions.
• Add a “dry run” mode and structured logging.

Milestone

• You can reproduce key Venafi operations via API (repeatably, safely).

Week 7 — Axiad: identity, credentials, lifecycle

Learn

• How identity is established and bound to a certificate.
• Credential lifecycle: issue, renew/rotate, revoke, recover.
• Common failure modes: identity proofing gaps, device binding issues, policy mismatches.

Hands-on

• Run a full lifecycle in a test context (issue → validate auth use → revoke → re-issue).

Milestone

• You can troubleshoot Axiad issues by mapping symptoms to lifecycle steps.

Week 8 — DigiCert: external issuance, automation, validation

Learn

• Certificate types and validation methods (DNS/HTTP, org validation where applicable).
• Automation options (API/ACME-like approaches if used).
• Operational realities: renewals, rekeys, naming standards, SAN management.

Hands-on

• Trace an issuance flow end-to-end (request → validation → issuance → deployment → renewal).

Milestone

• You can explain how external issuance differs from internal issuance and why.

Week 9 — PKI architecture and design principles

Learn

• Trust model design: why hierarchies exist and how blast radius is controlled.
• Key protection (HSM concepts, separation of duties, auditability).
• Policy documents (CP/CPS ideas), change control, incident response basics.

Hands-on

• Draw your current “as-is” architecture (even if rough) and annotate trust boundaries.
• Identify top risks (single points of failure, revocation dependencies, enrollment choke points).

Milestone

• You can discuss PKI like an architect (tradeoffs, risks, controls), not just an operator.

Week 10 — TLS and certificate validation in depth

Learn

• Handshake fundamentals, chain presentation, server auth vs client auth (mTLS).
• Why mismatched SAN/EKU breaks TLS.
• How clients build chains and use AIA/CDP/OCSP during validation.

Hands-on

• Capture TLS with Wireshark, identify the certificate chain and failure reason.
• Reproduce a TLS failure intentionally and fix it (wrong SAN, missing intermediate, etc.).

Milestone

• You can debug “TLS errors” quickly and explain them clearly to others.

Week 11 — Troubleshooting mastery (break/fix lab)

Learn

• Common PKI failure patterns: trust chain, name constraints, EKU, revocation, enrollment auth.
• Evidence-driven troubleshooting: what to check first, what to ignore, what proves the cause.

Hands-on

• Create a “failure lab” and break one thing at a time: SAN, EKU, missing intermediate, CRL URL, expired CRL.
• Write a one-page runbook for each failure: symptoms → checks → fix → verification.

Milestone

• You can consistently get from symptom → root cause with a repeatable method.

Week 12 — Automation, CI/CD, and scaling PKI operations

Learn

• How to turn operational knowledge into scripts/runbooks/pipelines.
• Safe automation patterns: least privilege, idempotency, dry-run, logging, rollback.
• Certificate rotation strategy for services (inventory → renew → deploy → verify → retire old).

Hands-on

• Build a small pipeline step that validates policy folder config or certificate readiness.
• Write an “expiration audit” script for a test scope and produce a simple report.

Milestone

• You can replace tribal knowledge with repeatable automation and documentation.

After week 12

• Pick one deep specialty to sharpen (revocation infrastructure, enrollment automation, TLS debugging, platform integrations).
• Keep a personal PKI runbook: every incident becomes a reusable checklist.
• Focus on turning “mystery systems” into diagrams, tests, scripts, and verification steps.

The goal is not to memorize trivia. The goal is to understand flows end-to-end, collect evidence, and build repeatable systems. That removes the power of gatekeeping.