Blog

How Mature Is Your PKI? A Framework for Self-Assessment

A practical framework for assessing PKI maturity across governance, visibility, automation and post-quantum readiness. Find out where your estate stands.

Most organisations know whether their PKI is working. Far fewer can say with confidence how well it is working, or how it would hold up under pressure. The two are not the same. A PKI can issue certificates reliably for years while carrying significant unseen risk in its governance, its visibility, or its readiness for what is coming. Maturity is the measure of that difference, and assessing it honestly is the first step towards improving it.

This article sets out a simple framework for assessing PKI maturity across four dimensions: governance, visibility, automation and post-quantum readiness. It is designed to help you form a considered view of where your estate stands and where attention would be best directed.

Why maturity, not just uptime

Judging a PKI by whether it has failed is a low bar, and a misleading one. The absence of a visible incident says nothing about the risks that have not yet materialised. An estate with weak governance, no central visibility of its certificates, heavy reliance on manual processes and no plan for the post-quantum transition may be running smoothly today and be profoundly fragile tomorrow.

A maturity view reframes the question. Instead of asking whether the PKI works, it asks how well it is governed, how clearly it is understood, how much of it runs without manual intervention, and how ready it is for change. Those questions surface the risks that uptime conceals, and they give an organisation a structured basis for improvement rather than a binary pass or fail.

The four dimensions of PKI maturity

Governance

Governance is the foundation, because it determines whether everything else is controlled or accidental. A mature PKI is underpinned by clear policy, defined ownership and documented process. The supporting Certificate Policy and Certification Practice Statement exist and are current, roles and responsibilities are understood, access to the certificate authorities is controlled and appropriately separated, and there is a defensible answer to who is accountable for the estate.

At lower maturity, governance is informal or absent. Knowledge sits with a few individuals, documentation is out of date or missing, and access has accumulated over time without review. The estate may function, but it cannot be assured, audited or defended with confidence.

To gauge governance maturity, ask: is there current policy documentation, is ownership clear, is access controlled and reviewed, and could the organisation demonstrate control of its PKI to an auditor?

Visibility

Visibility is knowing what you have. A mature PKI maintains an accurate, current inventory of its certificates and the systems that depend on them, so that the organisation knows what exists, where it is, who owns it, and when it expires. Without that picture, certificates fail without warning, and the first sign of a problem is an outage.

At lower maturity, the estate is only partially known. Certificates are tracked in spreadsheets, or not tracked at all, ownership is unclear, and expiry is discovered rather than anticipated. The organisation cannot manage what it cannot see, and every unknown certificate is a latent risk.

To gauge visibility maturity, ask: is there a complete and current inventory of certificates, is ownership recorded, is expiry tracked centrally and proactively, and would an unknown certificate on an important system be discovered before it caused a problem?

Automation

Automation is what makes a PKI scalable and resilient. A mature estate automates the routine and error-prone parts of the certificate lifecycle, from enrolment and issuance through to renewal, so that certificates are not left dependent on someone remembering to act. Automation reduces both the operational burden and the risk of human error, which is the most common cause of certificate outages.

At lower maturity, the lifecycle is heavily manual. Renewals depend on individuals and calendars, issuance is inconsistent, and the process does not scale with the estate. As the number of certificates grows and their lifetimes shorten, manual management becomes progressively less tenable.

To gauge automation maturity, ask: how much of the certificate lifecycle runs without manual intervention, are renewals automated or reliant on people, and would the current approach cope with a significant increase in certificate volume or a reduction in certificate lifetimes?

Post-quantum readiness

Post-quantum readiness is the forward-looking dimension, and the one most organisations have barely begun to address. The cryptography that underpins today's PKI will eventually be vulnerable to quantum computing, and the transition to quantum-safe algorithms is a substantial undertaking rather than a simple swap. A mature organisation has begun to understand its exposure, knows where its cryptography lives, and has a view of how it would migrate.

At lower maturity, post-quantum readiness is not on the agenda at all. The organisation does not know which systems use which algorithms, has no cryptographic inventory, and has no plan for a transition that will, in time, become unavoidable. The risk is not immediate, but the lead time is long, and organisations that start late will find the transition far harder.

To gauge post-quantum maturity, ask: does the organisation understand where its cryptography is used, is there a cryptographic inventory, and is there any plan for the eventual transition to quantum-safe algorithms? Our article on what post-quantum cryptography means sets out why this matters.

Reading your results

Taken together, these four dimensions give a rounded picture. An estate can be strong in one and weak in another, and the pattern is itself informative. Strong governance with poor visibility suggests good intentions undermined by a lack of tooling. Good automation with weak governance suggests capability outrunning control. Consistently low maturity across all four is a signal that the PKI has grown organically without a guiding strategy, which is common and entirely addressable.

The purpose of the exercise is not to arrive at a score for its own sake, but to identify where improvement would deliver the most value, and to prioritise accordingly. A candid self-assessment is the starting point; an independent assessment is how organisations turn that into a defensible baseline and a plan.

How Unsung helps

Unsung is a UK-based, specialist cybersecurity consultancy focused exclusively on Public Key Infrastructure, with a team of more than 20 dedicated PKI experts. We work on a strictly vendor-neutral basis across advisory, delivery and managed services.

A structured self-assessment is a useful first step, but it has limits: it relies on what the organisation already knows about itself. A PKI Health Check provides an independent, evidence-based assessment across exactly these dimensions, producing a clear view of maturity, prioritised recommendations and a baseline the organisation can act on. From there, our wider PKI consultancy and certificate lifecycle management services can address whatever the assessment identifies.

If you would like an independent view of how mature your PKI really is, contact us to discuss a health check.

Author
July 13, 2026
-