In the rush toward cloud-native identity and Zero Trust, it’s tempting to think PKI is yesterday’s problem. It isn’t. Certificates still underpin TLS for every web service you run, smart card and certificate-based authentication across government and defense networks, VPN and IPsec connections, code signing for your software supply chain, EFS and S/MIME for data protection, and 802.1x network access control. When a CA certificate expires, when a CRL distribution point becomes unreachable, or when a certificate template is misconfigured, the impact is immediate and widespread—and the root cause is often invisible to the teams scrambling to restore service.

This session is a guided tour of enterprise PKI architecture, operations, and failure modes—drawn from real-world deployments and incidents. We’ll walk through how a two-tier CA hierarchy actually works (and why you should never put your Root CA on the network), how certificate templates control everything from key usage to enrollment permissions, why autoenrollment silently fails more often than it succeeds, how key archival prevents permanent data loss and how key recovery actually works in practice, and the five PKI health checks every administrator should run before they leave the office on Friday.

This is not a theoretical overview. Every concept is grounded in production experience, illustrated with real configuration screenshots, and connected to the operational decisions your team will face. Whether you’re inheriting an existing PKI, planning a new deployment, or trying to figure out why certificates keep breaking in your environment, this session gives you the mental model and the diagnostic toolkit to take control.

You will learn:

• A clear architectural model for enterprise PKI that attendees can take back and evaluate against their own environment
• A diagnostic checklist for assessing PKI health in under 10 minutes
• Practical knowledge of key archival and recovery—the feature most PKI deployments skip and most regret skipping