Top 10 Questions to Ask When Evaluating a Certificate Management Tool

Managing PKI today is hard work. Spreadsheets or homegrown tools may have brought you this far, but times have changed. Between the need for round-the-clock certificate requests and renewals, regular compliance audits, and chasing down rogue certificates, you’ve reached a tipping point.

AWS Builder Community Hub

If you’re looking for a certificate management tool, chances are you’ve experienced one too many outages – or maybe you’ve failed an audit. You’re not alone. Recent reports show that 87% of organizations have experienced at least one certificate-related outage in the last 24 months.

So, like many others, you’ve decided you need to deploy a certificate management tool, but you’re not sure what questions to ask or even where to start. You’re in the right place.


Start With Requirements

First and foremost, determine project requirements. Some questions to ask yourself:

  • Which (and how many) CAs will the solution need to support?
  • What are the systems and applications in the organization that rely on certificates?
  • What are the criteria required for different user groups within the organization?
  • Is there a specific time frame for evaluation and deployment?
  • Do I need a solution that also provides managed PKI?

Once you’ve set your requirements, ask vendors these 10 pre-purchase questions to make sure the certificate management tool you choose meets your needs.


10 Questions to Ask Certificate Management Tool Vendors

Question #1: Does the solution support more than one CA?

Organizations with internal PKI use an average of 8 different issuing CAs, not to mention one or more public CAs. Don’t get locked into CA-provided tools that only allow you to issue and manage certificates from their own CA. Keeping track of certificates across multiple CA dashboards requires ongoing, manual effort that is not only time-consuming, but also prone to error and oversight.


Question #2: What level of visibility will your solution provide?

It’s not the certificates you know about that will cause your next outage, it’s the ones you don’t – and incomplete inventory will leave you exposed. Network-based discovery is table stakes. Ask the vendor if their solution can inventory CAs directly. Can it detect certificates issued outside of standard processes (i.e. rogue certs)? Can it inventory key and certificate stores in network devices and cloud services?


Question #3: How will the solution integrate with my existing infrastructure?

A certificate management tool that requires significant changes to existing firewall and port configurations is likely to slow network traffic and trigger all sorts of IDS and IPS alarms. You should ask your vendor for a detailed run down of what discovery and management capabilities they offer and – more importantly – how they are implemented across CAs, network segments, and IaaS platforms.


Question #4: What if I need to change, remove or add a CA to my PKI?

Crypto-agility is key. If a CA or algorithm is compromised, it’s not enough to simply re-issue keys and certificates from a new CA. The vendor should make the process: (1) non-disruptive to the business, (2) attainable within mission-critical timeframes, and (3) achievable within ecosystems that contain hundreds of thousands of certificates across distributed systems and applications.


Question #5: What automation capabilities does the solution offer?

Automation can – and should – take many forms, and be whatever you need it to be. An effective certificate management tool offers agent-based and agentless automation, a robust API library, and support for standard protocols like Windows auto-enrollment, ACME and SCEP. Make sure the vendor can integrate with your target systems – F5, IIS, Citrix, AWS and Azure KeyVault, among others.


Download the full Certificate Lifecycle Automation Buyer’s Guide to find out more about core capabilities and questions to ask your vendor

Download the Buyer's Guide


Question #6: How quickly can I deploy the solution?

Time-to-value is critical to meeting your objectives. Avoid “middleware” architectures that sit between CAs and end devices. Deploying these products can take months, requiring you to re-issue all certificates through their platform before you can manage them. The solution should be able to integrate with existing workflows and certificates, then roll out new issuance workflows and automation as needed.


Question #7: How difficult and time-consuming is it to use the solution?

You’ll need to think about the resources required, not just to deploy the solution, but also run it in production. A product that can only be used by trained PKI experts is only going to be useful if and when you have experts on hand. It shouldn’t take a PKI admin to request or renew a certificate, monitor certificates for expiration and compliance, or generate reports for audits.  


Question #8: What are the infrastructure requirements for the solution?

When evaluating the total cost of ownership of a certificate management tool, you should include costs of hardware, software deployment, and network infrastructure changes needed to support the solution without adversely affecting your business operations. The most flexible products can easily be deployed on-premises, in the cloud, or across hybrid and containerized environments.


Question #9: Are there any scalability issues I should be aware of?

Scalability is everything; most organizations have tens or hundreds of thousands of certificates. As certificate volumes and issuance velocity increase, you’ll need to keep pace. It’s one thing to integrate with DevOps and Cloud tools, it’s another to keep up with thousands of certificate transactions per second. Don’t take their word for it, put the solution to the test.


Question #10: What kind of support or expertise do you offer?

Support teams are pivotal to your experience with testing, deployment, and use of the product. If you experience an issue, how quickly can the vendor respond? Does the vendor offer 24/7 access to trained PKI experts? If your PKI team is already stretched, can the vendor offer the option of a fully hosted PKI service to offload backend maintenance? Ask the vendor for customer reviews and references.


Still not sure what to look for in a certificate management tool? Check out our free Certificate Lifecycle Automation Buyer’s Guide for a more comprehensive overview.


*** This is a Security Bloggers Network syndicated blog from PKI Blog authored by Ryan Sanders. Read the original post at:

Avatar photo

Ryan Sanders

Ryan Sanders is a Toronto-based product lead with Keyfactor, a leader in providing secure digital identity solutions for the Global 2000 Enterprises. Ryan has a passion for cybersecurity and actively analyzes the latest in compliance mandates, market trends, and industry best practices related to public key infrastructure (PKI) and digital certificates.

ryan-sanders has 53 posts and counting.See all posts by ryan-sanders