Scott Helme: The Best TLS Training in the World – GOTO Academy NL

Scott Helme: The Best TLS Training in the World

Designed by Ivan Ristić, the author of the much-acclaimed Bulletproof SSL and TLS, this practical training course will teach you how to deploy secure servers and encrypted web applications and understand both the theory and practice of Internet PKI.

What will the attendees learn?

  • Understand threats and attacks against encryption
  • Identify real risks that apply to your systems
  • Deploy servers with strong private keys and valid certificates
  • Deploy TLS configurations with strong encryption and forward secrecy
  • Understand higher-level attacks against web applications
  • Use the latest defence technologies, such as HSTS, CSP, and HPKP
  • Learn about key PKI standards and formats
  • Understand where practice differs from theory
  • Analyze certificate lifecycle in detail
  • Evaluate PKI weaknesses and how they affect you
  • Deploy robust protection using public key pinning
  • Learn about what's coming in the future

Agenda: Day 1 | The Best TLS Training in the World

  1. The need for network encryption
  2. Understanding encrypted communication
  3. The role of public key infrastructure (PKI)
  4. SSL/TLS and Internet PKI threat mode

Keys and certificates 

  1. RSA and ECDSA: selecting key algorithm and size
  2. Certificate hostnames and lifetime
  3. Practical work:
    1. Private key generation
    2. Certificate Signing Request (CSR) generation
    3. Self-signed certificates
    4. Obtaining valid certificates from Let’s Encrypt
  4. Sidebar: Revocation

Protocols and cipher suites

  1. Protocol security
  2. Key exchange strength
  3. Forward security
  4. Cipher suite configuration
  5. Practical work:
    1. Secure web server configuration
    2. Server testing using SSL Labs
  6. Sidebar: Server Name indication (SNI)
  7. Sidebar: Performance considerations

HTTPS topics

  1. Man in the middle attacks
  2. Mixed content
  3. Cookie security
  4. CRIME: Information leakage via compression
  5. HTTP Strict Transport Security
  6. Content Security Policy
  7. HTTP Public Key Pinning
  8. Practical work:
    1. Deploying HSTS to deploy robust encryption
    2. Deploying CSP to deal with mixed content 

Putting it all together: Getting an A+ on SSL Labs

Agenda: Day 2 | Internet PKI in Depth



  1. X.509 certificates
  2. Certificate chains
  3. Name constraints
  4. Trust path building
  5. Validation process

Internet PKI

  1. Certification Authorities
  2. Relying parties
  3. Certificate types (DV, EV, OV)
  4. Certificate lifecycle (validation, issuance, and revocation)
  5. CA/B Forum and its standards
  6. Weaknesses
  7. History of attacks


  1. CRL
  2. OCSP
  3. OCSP stapling
  4. CRLsets and OneCRL
  5. Short-lived certificates


  1. Certification Authority Authorization (CAA)
  2. Public Key Pinning
    1. Static pinning
    2. HPKP

Certificate Transparency

PKI ecosystem monitoring

Project: Building and deploying a realistic private CA

We will also provide you with many additional exercises that you can work on in your own time. You'll be able to ask us for help via email. And if you're already familiar with the basics, we'll challenge you with some of the advanced exercises on the day.

Are there any prerequisites? 

  • Basic Linux command line skills: moving about, invoking commands, editing configuration files.
  • A laptop with an SSH client, which you will only need to connect to your assigned virtual server.
  • You should be comfortable using a Unix editor.

Would you like to join us as a group? - Contact us here



    Upcoming training dates

    Sorry, there are no products in this collection