SHARED INTEL: Automating PKI certificate management alleviates outages caused by boom

By Byron V. Acohido

Our Public Key Infrastructure is booming but also under a strain that manual certificate management workflows are not keeping up with.

Related: A primer on advanced digital signatures

PKI and digital certificates were pivotal in the formation of the commercial Internet, maturing in parallel with ecommerce. With digital transformation leading to a boom in the use of digital certificates, our bedrock authentication and encryption framework is at an inflection point, where the demand and adoption of automation is set to rapidly accelerate to keep up with technology requirements.

As business networks shift into the era of cloud computing and agile software, the volume of digital certificates has swelled dramatically. This scaling up of PKI has put companies in a mad scramble.

Large enterprises now typically must manage 50,000 or more PKI certificates, placing a huge burden on manual processes. This, in turn, has triggered a surge in certificate outages: some two-thirds of 400 enterprises participating in a recent survey reported certificates expiring unexpectedly – with 25 percent experiencing five to six such outages in a recent six month period.

“The volume of certificates is growing dramatically and companies are having a difficult time trying to manually manage their digital certificate workflows,” says Brian Trzupek, senior vice president of product at DigiCert, the Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services that conducted the poll.

Entire new tiers of certificates are cropping up with expiration dates all over the map, Trzupek told me. “It’s like landmines in our customers’ networks,” he says. “When these things expire, they bring down services and it can be a real pain to go find and fix them.”

Organizations have begun relieving this pressure by increasingly turning to centralized, automated PKI management systems, Trzupek says. Here are a few key takeaways from a deep discussion I had with him about how all of this is unfolding.

Certificate confusion

PKI touches nearly every aspect of our connected technologies. Digital certificates get issued publicly, by a CA, or privately by an individual company for users and servers. This is how we authenticate human and machine identities and move encrypted data between endpoints.


The number of PKI certificates has swelled 43 percent year-over-year, according to a recent Ponemon study. What’s more, the validity period of publicly trusted certificates continues to shrink: five years ago certificates got issued that typically remained valid for 10 years; today public trust validity periods typically range from months to a year, at most, Trzupek says.

Companies are churning out certificates left and right for users and for business system servers, as well as for web servers, mobile devices, document and software signing, IoT devices, user identity and access management, email and more. The legacy way to manage PKI is to do it manually. However, in today’s environment manual processes no longer cut the mustard.

Nearly two-thirds of the companies polled by DigiCert said they were somewhat to extremely concerned about how much time gets spent managing certificates. And 37 percent complained that they had to use more than three departments to manage certificates, leading to confusion.

“Companies are dealing with a big surface area where they need to locate and monitor all of the certificates inside of an extended cloud environment —  for users, machines, laptops and mobile devices,” Trzupek says. “And then they have to quantify and qualify all of these certificates across a much wide perimeter, where some of the certs aren’t necessarily under their direct control.”

Addressing compliance, security

The stakes are sky high to get everything right. The impact of a certificate outage can range from creating a nuisance to causing a material disruption. Clearly, many companies need to get a better grip on PKI management simply to keep from derailing digital transformation. Agile software won’t be so nimble if the underlying certificates can’t keep pace.

And there are two other intertwined drivers in play: compliance and security.

Regulations like Europe’s General Data Protection Regulation and California’s Privacy Rights Act, along with numerous industry standards in the technology, banking and insurance sectors loom large – imposing the specter of audits and the threat of fines.

These compliance pressures stem directly from the malicious hacking that continues to devastate individuals’ privacy and generally wreak havoc with data security. Sophisticated cyber-attacks continue apace, hence the Solar Winds supply-chain hack, the Colonial Winds ransomware attack and President Biden’s cybersecurity initiatives.

It may not seem obvious, but robust PKI management ties into compliance and security at many levels; well-managed certificates don’t just help companies to pass audits – they also very directly and materially contribute to data security resilience.

Because of the complex operating environment, many company decision makers do not yet get this concept, Trzupek told me. “Some companies aren’t even looking at this piece yet; they’re not even aware of the scope of the problem,” he says. “It’s because they have to juggle a lot of different things.”

Automation embraced

One concept that most company decision makers can easily grasp is that automation, in the right form, can get them over the hump.

DigiCert’s survey showed that 91 percent of those polled were at least discussing automated PKI management, with 70 percent, acknowledging that they expected to implement a solution within 12 months. Some 25 percent of the respondents said they were at or beyond the implementation stage.

Change, of course, is never easy. Humans love what’s familiar and organizations are skewed against taking on unfamiliar operational headaches. Trzupek has been making the case with DigiCert’s customers and prospects that the long run savings and improved security are well worth it.

“What a lot of enterprises are looking for is automation that’s predictable and controlled,” he says. “This can be done through policies that allow them to manage automation inside of a change window — in a way that doesn’t disrupt operations and has the intended effects, which can be tested and measured.”

It’s a certainty that PKI and digital certificates will remain deeply engrained in every aspect of our Internet-driven services, going forward. It’s good to see automation being brought to bear helping to keep PKI stable and robust. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone