Blog

Inside a PKI Health Check: How We Assess, Grade and Report on Your Estate

What actually happens during a PKI health check? Unsung walks through the engagement from kick-off to findings report, what we examine and what you receive.

Public Key Infrastructure tends to attract attention only when something goes wrong. For much of its life it runs quietly in the background, issuing and validating the certificates that authenticate users, secure connections and underpin trust across the estate. That quietness is precisely the problem. It is easy to assume a PKI is healthy simply because it has not failed yet, and organisations frequently discover the true state of their environment only at the worst possible moment.

A PKI health check exists to remove that uncertainty. It is a structured, independent assessment of the current state of an organisation's PKI, producing a clear view of what is working, what carries risk, and what should be done about it. This article walks through how Unsung runs a health check, from the first conversation to the findings report, so that organisations considering one know exactly what to expect, what will be asked of them, and what they will receive at the end.

Why organisations commission a health check

Health checks are rarely commissioned out of idle curiosity. They tend to follow a specific prompt.

The most common is inheritance. An organisation takes on responsibility for a PKI it did not build, whether through a service transition, a supplier change, or staff turnover, and finds that the knowledge and documentation handed over are incomplete. The environment works, but nobody can confidently explain how, or vouch for how well.

Others follow a scare. A certificate expires unexpectedly and takes a service down, or an audit raises a question the team cannot answer, and leadership wants assurance that no larger problem is lurking. Some are driven by change on the horizon: a migration, a move to the cloud, or preparation for the post-quantum transition, where a clear picture of the current state is a prerequisite for planning the next one. And some are simply good governance, an organisation choosing to verify that infrastructure this important is being run to a standard it can defend.

In every case the underlying need is the same. The organisation wants an honest, expert view of where its PKI stands, delivered by someone independent of the team that runs it.

What a PKI health check includes

At a high level, a health check examines the whole of the PKI estate across its technical, operational and governance dimensions, and translates what it finds into prioritised, actionable recommendations. The assessment typically covers:

  • Architecture and use cases: the certificate authority hierarchy and trust model, and the purposes the PKI serves, such as TLS, mutual TLS, user authentication, smartcards, document signing and device identity.
  • Physical and logical security: how the certificate authorities and supporting infrastructure are protected, where keys and credentials are held, and who has access to them.
  • Revocation services: how certificate revocation is published and checked, including CRL and OCSP configuration, lifetimes and resilience.
  • Backup and recovery: whether backups exist, what they cover, where they are held, and whether recovery has ever actually been tested.
  • Monitoring and alerting: whether the certificate authorities, revocation endpoints and certificate lifetimes are monitored, and whether the right people are alerted when something fails.
  • Enrolment and issuance: how certificates are requested, approved and issued, and how much of that process is automated.
  • Certificate lifecycle management: whether certificate expiry is tracked centrally, and whether ownership is clear.
  • Permissions and separation of duties: who can manage the certificate authorities and issue certificates, and whether that access is appropriately controlled.
  • Governance and documentation: the maturity of the supporting policies, procedures and Certificate Policy and Certification Practice Statement, where these exist.

The assessment is benchmarked against recognised standards, including NIST guidance on certificate management and key lengths and, where relevant to the organisation, the NCSC PKI Principles. This grounding is what turns observation into defensible recommendation.

How the engagement runs, step by step

A health check is a focused engagement that moves through a clear sequence, scaled to the size and complexity of the estate. Each stage builds on the last, from establishing the picture to delivering the findings.

Kick-off and questionnaire

The engagement begins before any technical work. A pre-assessment questionnaire is shared with the organisation, tailored to its environment, covering the architecture, use cases, scale, governance obligations and any known pain points. The responses give our consultants an early picture of the estate and, just as usefully, highlight the areas the organisation itself is unsure about.

A kick-off session follows once the responses are in. This meeting introduces the key stakeholders, confirms who can provide access to systems and documentation, clarifies anything left open in the questionnaire, and establishes a high-level understanding of the infrastructure. It also confirms the practical arrangements, including any access required, and sets expectations for what the health check will and will not cover. The tone is collaborative from the outset; a health check works best when the organisation's own team engages with it openly.

Information gathering

The core of the engagement is a structured evidence-gathering exercise combining documentation review, technical sessions and direct examination of the environment.

Documentation review takes in the infrastructure, architecture and design material, the operational processes and procedures, and any Certificate Policy or Certification Practice Statement. Documentation is frequently out of date, so it is treated as a starting point rather than a source of truth.

Technical sessions bring together the operators, architects, security staff and management who understand the environment in practice. These walk-throughs establish how the PKI is actually configured and operated, validate the documentation against reality, and surface the deviations and recent changes that documentation so often omits. Where a piece of information cannot be established, that gap is itself recorded as a finding rather than quietly left out.

Direct examination of the environment gathers the technical detail that underpins the assessment: the configuration of the certificate authorities, the certificate templates and profiles in use, revocation settings, permissions and server details. This is carried out with the organisation's own team and, where its security controls allow, directly against the environment.

What we need from you

A health check is only as good as the access it is given, and this is the area organisations most often underestimate. To run a thorough assessment, our consultants need the organisation to provide:

  • The relevant documentation, however incomplete,
  • Access to the technical staff who operate and understand the environment,
  • Access to the certificate authority and supporting systems, whether directly or remotely, in line with the organisation's security controls,
  • The time of the right people to take part in the technical sessions.

None of this is onerous, but it does require planning. Where security controls prevent direct access, the assessment adapts and gathers the equivalent information through the organisation's own team. The one thing that genuinely constrains a health check is an organisation that cannot free up the people who hold the knowledge.

Analysis and the findings report

With the evidence gathered, the analysis phase turns it into findings. Each component and process is assessed, risks are identified and graded, and recommendations are developed. The output is a written report, structured for both technical and executive audiences.

The report opens with an assessment summary and key findings, stating the facts plainly. It then presents the current configuration and detailed findings, each in a clear findings-and-recommendations format, with risks graded high, medium or low so that attention can be directed where it matters most. High-risk items are those demanding immediate attention, such as certificate authority keys held insecurely, unprotected backups, or unmonitored revocation services. Medium and low-risk items are those to plan for or improve over time. Crucially, the report also records what the organisation is doing well, because an honest assessment recognises strength as readily as weakness.

The report closes with forward-looking sections: a roadmap for addressing the findings and a view of how the PKI could evolve, whether towards modernisation, automation or post-quantum readiness.

The closure session

The engagement ends with a session that presents the findings to the organisation's stakeholders, talks through the recommendations and priorities, and answers questions. This is where the report becomes genuinely useful, translating a written assessment into a shared understanding and an agreed sense of what to tackle first. The organisation leaves with a clear, independent view of its PKI and a practical basis for acting on it.

What you receive at the end

At the close of a health check, the organisation holds a comprehensive findings report giving clear visibility of the health of its PKI, with prioritised, evidence-based recommendations that inform a remediation roadmap and, where needed, an investment case. Just as valuable is the clarity it brings: a documented, independent baseline of an environment that may previously have been only partly understood. For many organisations, that baseline becomes the foundation for everything that follows, whether remediation, modernisation or a longer-term transformation programme.

How Unsung approaches health checks

Unsung is a UK-based specialist PKI consultancy with a team of more than 20 dedicated PKI experts serving government, defence, financial services, healthcare, transport and critical national infrastructure clients. Our PKI Health Check is delivered on a strictly vendor-neutral basis, so findings and recommendations are shaped by what is right for the organisation rather than by any product allegiance.

The approach has been applied across very different environments. Our health check for an engineering sector client, for a healthcare organisation, and for a systems integrator each show the same structured method adapted to the client's circumstances, in the last case reconstructing an accurate picture of an estate whose knowledge transfer from a previous supplier had been incomplete.

For organisations that are unsure of the true state of their PKI, that have inherited an environment they cannot fully account for, or that simply want independent assurance that infrastructure this important is being run to a defensible standard, a health check is the most direct way to find out. To discuss how a health check would map onto your environment, contact us to start the conversation.

Author
July 7, 2026
-