I recommend beginning at the fundamentals. For example here's a video that walks through Diffie Hellman, so that anybody can follow, you can probably sprint through it, but by taking it slow they avoid accidentally forgetting anything important.

https://www.youtube.com/watch?v=YEBfamv-_do

Grasping the fundamentals means that when it comes to policy decisions (e.g. in the management of certificates) you can see what the consequences of a particular decision are, rather than just hoping that whoever proposed that policy knew what they were doing.

For example, I think a lot of people today use Certificate Signing Request (CSR) files without understanding them at all. But once you have a grounding in the underlying elements you can see at once what the CSR does, and why it's necessary without needing to have that spelled out separately.

Or another example, understanding what was and was not risky as a result of the known weakness of SHA-1. I saw a lot of scare-mongering by security people who saw the SHA-1 weakness as somehow meaning impossible things were now likely, but it only affected an important but quite narrow type of usage, people who understood that could make better, more careful decisions without putting anybody at risk.

I'm more of a learning by doing person. Here's three exercises that you'll learn a lot doing:

1) https://www.ssllabs.com/ssltest/ - try to get an A+. It's not important to in most cases in practice, but you'll learn a lot getting there. Their rating guide is also handy: https://github.com/ssllabs/research/wiki/SSL-Server-Rating-G...

2) MITM yourself. I've done this using Charles, you can do it with any HTTP proxy that lets you rewrite requests on the fly - I hear Fiddler is popular. MITM yourself and try changing the page for an HTTP site. Then try doing it on a website that is part HTTP part HTTPS (e.g. HTTPS for login page for example) and "steal your password". Try again on a website that redirects from HTTP to HTTPS using a 301 but does not have HSTS. Finally try on a site with HSTS (nb: you won't manage this one). Congratulations, you now truly understand why HSTS is important and what it does better than most people!

3) Set up HTTPS on a website. You've probably already done this. In which case maybe do it with LetsEncrypt for an extra challenge?

That's awesome. I prefer to learn by doing too. It is way more effective and practical. Thanks for the advice. These steps, along with a book to read on the topic, should work very well! Thanks!

Check out High Performance Browser Networking. Ilya Grigorik is a very smart cookie and will take you right up to the present day state-of-the-art:

https://hpbn.co/

That's a sweet resource. Thanks!

To study SSL, HTTPS, CAs including installation and management of SSL certificates, You can consider following references:

https://www.sslshopper.com/what-is-ssl.html

https://www.cheapsslshop.com/blog

https://www.whichssl.com/what-is-ssl.html

I learn best by example, and I have learned so much just by evaluating and implementing hashicorp vault: https://www.vaultproject.io/docs/secrets/pki/index.html

It doesn't hold your hand at all, but it gives you a nice "task" to accomplish. Reading up on all the terminology and exactly how and why it works was really fun.

I hear good things about Bulletproof SSL/TLS by Ivan Ristić:

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

There was also a nice web page presenting all kinds of PKI concepts that I came across a few years ago but haven't been able to find since then. :-(

That book should cover pretty much all that I am concerned with. Thanks!