X.509 certificates are vital for Internet security, yet their inner workings often remain a mystery. This intermediate workshop moves beyond the "black box" to provide practical skills in Public Key Infrastructure (PKI) and certificate management using FreeIPA.

Attendees will explore diverse use cases, including WebPKI, Smart Card auth, Kerberos PKINIT, and 802.1X EAP, essential for system administrators or DevOps engineers.

Hands-on topics include:
* PKI fundamentals and X.509 anatomy.
* Using OpenSSL to generate keys and CSRs.
* ACME (Let's Encrypt) and FreeIPA issuance.
* Configuring certificate profiles, sub-CAs, and enabling ACME.
* External signing and renewal of the FreeIPA CA.
* Linux Smart Card authentication and host configuration.
* Future trends: Certificate Transparency and Post-Quantum cryptography.

Prerequisites: Participants will access a cloud lab and will only need an SSH client and to be comfortable with the Unix command line.