Every secure connection your organisation makes, from websites to APIs to internal applications, depends on a digital certificate. These certificates authenticate identities, encrypt data, and establish the trust that digital systems need to function. But certificates are not permanent. They expire, they get compromised, and they need replacing. Certificate lifecycle management (CLM) is the discipline of managing all of this at scale.

CLM covers the entire certificate journey: from the initial request and issuance, through monitoring and renewal, to revocation and retirement. In a small environment, this might be manageable with a spreadsheet. In a modern enterprise with tens of thousands of certificates issued across multiple PKI environments, cloud providers, and business units, manual management is not just inefficient. It is a direct source of risk.

This guide explains what CLM involves, why it has become critical for organisations of all sizes, how automation is changing the discipline, and what to look for when selecting a CLM platform.

The Certificate Lifecycle: From Issuance to Retirement

A digital certificate passes through a series of defined stages. Understanding these stages is essential for managing certificates effectively and for recognising where manual processes tend to break down.

Request and Issuance

The lifecycle begins when a system, user, or application generates a Certificate Signing Request (CSR) and submits it to a Certificate Authority (CA). The CA validates the request and issues the certificate. How this exchange happens depends on which certificate management protocols your environment supports, whether that is ACME, EST, CMP, or SCEP. Each protocol suits different environments and use cases, from web servers to IoT devices to enterprise desktops.

Enrolment and Deployment

Once issued, the certificate must be deployed to the correct systems. This could mean installing it on a web server, pushing it to endpoints via Active Directory Group Policy, provisioning it to a Kubernetes cluster, or distributing it to a fleet of IoT devices. The complexity here scales directly with the diversity of your infrastructure.

Discovery and Inventory

In practice, organisations rarely have a complete picture of every certificate in their environment. Certificates get issued by different teams, across different CAs, in different cloud environments, and through different tools. Discovery is the process of scanning your infrastructure to find every certificate, including those that were created outside of formal PKI processes. Building a cryptographic bill of materials provides the foundation for this visibility.

Monitoring and Renewal

Certificates have finite validity periods. When they expire, the services that depend on them fail immediately. Monitoring tracks expiry dates and certificate health across the entire estate. Renewal replaces certificates before they expire, ideally through automated workflows that require no manual intervention. With the industry moving toward shorter TLS certificate lifetimes, the window for catching an approaching expiry is shrinking rapidly.

Revocation

Sometimes a certificate needs to be invalidated before its natural expiry, typically because a private key has been compromised or an employee has left the organisation. Revocation updates Certificate Revocation Lists (CRLs) or triggers OCSP responses so that relying parties stop trusting the certificate. Effective revocation depends on having complete visibility of which certificates exist and where they are deployed.

Retirement

At the end of its useful life, a certificate is retired from active use. This includes removing it from systems, archiving records for audit purposes, and ensuring no residual dependencies remain. Orphaned certificates, those that remain deployed but are no longer monitored or managed, are a common source of security risk.

Why Certificate Lifecycle Management Matters

The consequences of poor certificate management are immediate and visible. Expired certificates cause outages that disrupt services, break encrypted connections, trigger browser warnings, and erode customer trust. The Microsoft Teams global outage in 2020, caused by a single expired authentication certificate, is one of the most widely cited examples. Industry estimates put the average cost of IT downtime at approximately $5,600 per minute.

Beyond outages, unmanaged certificates create security vulnerabilities. Certificates issued with weak algorithms, excessive validity periods, or inadequate key protection expand the attack surface. Certificates created outside governed PKI processes, sometimes called shadow certificates, sit unmonitored in production environments. And without a complete inventory, organisations cannot accurately assess their exposure to emerging threats like quantum computing.

Regulatory pressure is also increasing. Standards including GDPR, PCI DSS, HIPAA, and eIDAS either explicitly require or implicitly depend on effective certificate governance. Audit findings related to expired, unknown, or non-compliant certificates are becoming more common, particularly in financial services and healthcare.

The Impact of Shorter Certificate Lifetimes

In April 2025, the CA/Browser Forum voted unanimously to reduce the maximum validity of public TLS certificates through a phased schedule:

March 2026: maximum lifetime reduces to 200 days

March 2027: maximum lifetime reduces to 100 days

March 2029: maximum lifetime reduces to 47 days

This means that by 2029, the same set of certificates that currently requires annual renewal will need renewing approximately eight times per year. For an organisation managing 10,000 public TLS certificates, that translates from 10,000 renewal events annually to approximately 80,000.

Manual renewal processes will not survive this transition. Organisations that do not implement automated CLM before these deadlines take effect face a choice between continuous operational firefighting and systematic certificate-related outages. This shift is the single most significant driver of CLM adoption in 2026.

It is worth noting that these rules apply to publicly trusted TLS certificates only. Internal PKI certificates are not subject to CA/Browser Forum rules, though many organisations are choosing to align internal practices with external standards for consistency and reduced risk.

The Four Pillars of CLM

Effective certificate lifecycle management rests on four foundational capabilities, which we explore in detail in our dedicated article on the four pillars of CLM:

Applicability ensures the CLM system matches your organisational requirements: supporting hybrid infrastructure, integrating with multiple CAs, and accommodating both legacy and cloud-native environments.

Visibility provides a complete, real-time picture of every certificate in your environment. Without visibility, you cannot monitor expiry dates, enforce policy, or identify unknown certificates.

Availability ensures continuous certificate validity through proactive monitoring, automated renewal workflows, and rapid revocation and replacement capabilities.

Automation eliminates manual processes by orchestrating issuance, renewal, deployment, and revocation at scale. Automation reduces human error, enforces consistent policy, and is the only viable approach for managing certificates in the era of 47-day lifetimes.

CLM Automation: Eliminating Manual Certificate Management

Manual certificate management typically means tracking certificates in spreadsheets, relying on calendar reminders for renewals, and handling each issuance or replacement as a standalone task. This approach fails at scale for several reasons:

Spreadsheets go stale. The moment a certificate is issued outside of the tracked process, the inventory is incomplete. Teams across the organisation issue certificates independently, and without automated discovery, those certificates remain invisible until they expire and cause an outage.

Manual renewals are error-prone. A missed renewal for a single certificate can take down a production service. When renewal volumes increase eightfold due to shorter lifetimes, the probability of human error becomes a near-certainty.

Policy enforcement is inconsistent. Without automation, there is no mechanism to ensure that every certificate meets organisational standards for key length, algorithm, validity period, and permitted use.

Modern CLM platforms address these challenges through automated certificate discovery across hybrid environments, automated renewal and deployment workflows, centralised policy enforcement, integration with SIEM platforms, secrets management tools, and IT service management systems, and real-time alerting and compliance reporting. For more on overcoming resistance to CLM automation, see our practical guide.

Certificate Management Protocols

CLM platforms interact with Certificate Authorities through standardised protocols. Each serves different environments and use cases. For a detailed comparison, see our guide to certificate management protocols: CMP, ACME, EST, and SCEP.

ACME (Automatic Certificate Management Environment) is the protocol behind Let's Encrypt and is now supported by most major CAs and CLM platforms. It is the default choice for automating public TLS certificate issuance and renewal, and increasingly for private certificates too.

EST (Enrolment over Secure Transport) is designed for device and IoT certificate enrolment, using TLS for transport security. It is well suited to modern, REST-based environments.

CMP (Certificate Management Protocol) is a mature, feature-rich protocol widely used in telecommunications, government, and industrial PKI. It supports complex operations including key recovery and cross-certification.

SCEP (Simple Certificate Enrolment Protocol) is common in Microsoft and MDM (Mobile Device Management) environments. It is straightforward to implement but lacks the security features of newer protocols.

When evaluating CLM platforms, protocol support determines which environments and use cases the platform can manage effectively. A platform that only supports ACME will not address SCEP-based device enrolment, and vice versa.

How to Choose a CLM Platform

Selecting a CLM platform is a strategic decision. The platform will become foundational infrastructure for maintaining trust, compliance, and operational continuity. Key considerations include:

Multi-CA support: the platform should manage certificates from any CA, not lock you into a single vendor. This includes public CAs, private enterprise CAs like Microsoft AD CS or EJBCA, and cloud CA services.

Deployment flexibility: can the platform deploy on-premises, as SaaS, or in hybrid configurations? Does it support air-gapped environments for defence and government use cases?

Discovery capability: how does the platform find certificates? Does it use network scanning, agents, API integrations, or a combination? Can it discover certificates across cloud providers, containers, and legacy infrastructure?

Automation depth: does the platform automate the full lifecycle, including issuance, renewal, deployment, and revocation? Does it integrate with DevOps pipelines, Kubernetes, and CI/CD workflows?

Integration ecosystem: what out-of-the-box integrations does the platform offer with SIEM, ITSM, PAM, and HSM systems?

Post-quantum readiness: does the platform support post-quantum cryptography algorithms and provide cryptographic discovery to support migration planning?

Licensing model: CLM licensing varies significantly across vendors, from per-certificate pricing to flat-fee subscriptions. The right model depends on your certificate volume, growth trajectory, and budget predictability requirements. We cover this in detail in our CLM vendor and licensing model evaluation guide.

The CLM Product Landscape

The CLM market has consolidated significantly. CyberArk's $1.54 billion acquisition of Venafi in 2024 reshaped the competitive landscape, while Keyfactor's acquisitions of InfoSec Global and CipherInsights in 2025 strengthened its cryptographic discovery and PQC capabilities.

The major platforms in the market include:

Venafi (CyberArk Certificate Manager) is the dominant enterprise platform, with 200+ integrations and proven scale at over one million certificates. It is now being integrated into CyberArk's broader identity security portfolio.

Keyfactor Command is the primary mid-market alternative, with native EJBCA integration and leading post-quantum cryptography support. Unsung works extensively with Keyfactor Command.

DigiCert Trust Lifecycle Manager is a cloud-based, CA-agnostic platform built on the DigiCert ONE infrastructure, strongest when standardised on DigiCert as the primary CA.

Sectigo Certificate Manager is a cloud-native CLM platform with strong ACME support and a dedicated SMB tier (SCM Pro).

Entrust PKI Hub is a newer all-in-one container-based virtual appliance launched in 2025, bundling CA, CLM, enrolment, and validation into a single deployment.

Certdog by Krestfield is a UK-developed CA and CLM platform with particular strength in AD CS environments and a free tier for smaller estates.

Other options include AppViewX CERT+, GlobalSign Atlas/LifeCycleX, Nexus Certificate Manager, HashiCorp Vault PKI (for ephemeral certificates in DevOps environments), and AWS Private CA for cloud-native workloads.

For a detailed vendor-by-vendor product comparison, capability matrix, and licensing model analysis, see our CLM vendor evaluation and licensing guide.

Unsung's Certificate Lifecycle Management Services

Unsung provides specialist certificate lifecycle management consultancy and technical delivery. We are vendor-neutral, working with whichever platforms and CAs suit your environment.

Our services cover:

Assessment and advisory: we review your current certificate inventory, PKI architecture, and management processes to identify visibility gaps, governance weaknesses, and efficiency improvements.

Design and implementation: we design CLM solutions aligned with your security objectives and compliance requirements, supporting both internal PKI and cloud-based deployments.

Automation integration: we implement automated provisioning, renewal, revocation, and policy enforcement, eliminating manual errors and ensuring consistent governance.

Monitoring and alerting: comprehensive monitoring tracks certificate status across your estate, identifying unknown certificates and alerting teams before expiration affects services.

Crypto agility and PQC readiness: we help organisations build crypto agility into their CLM architecture, preparing for the transition to post-quantum cryptography.

Our consultants hold SC and DV security clearance and deliver across central government, defence, financial services, healthcare, and transport. Talk to our team to discuss your CLM requirements.

Frequently Asked Questions About Certificate Lifecycle Management

What is the difference between PKI and CLM?

PKI (Public Key Infrastructure) is the framework that creates and manages digital certificates and cryptographic keys. CLM is the operational discipline of managing those certificates through their entire lifecycle, from issuance to retirement. PKI creates the trust; CLM ensures that trust is maintained continuously.

Why can't I manage certificates manually?

Manual management works for very small estates. As certificate volumes grow and validity periods shorten, manual processes create unacceptable risk. With 47-day TLS certificates arriving by 2029, an estate of even 1,000 public certificates will require approximately 8,000 renewal events per year. Spreadsheets and calendar reminders cannot sustain this.

What is certificate discovery?

Certificate discovery is the process of scanning your infrastructure to identify every deployed certificate, including those created outside formal PKI processes. Discovery is typically the first step in any CLM implementation, because you cannot manage what you cannot see. Modern CLM platforms use network scanning, agents, API integrations, and CA log analysis to build a complete inventory.

What happens when a certificate expires?

Services relying on the expired certificate fail immediately. Websites become inaccessible, APIs stop responding, encrypted communications break, and users see security warnings. The impact can range from minor inconvenience to major business disruption. See our article on the real cost of expired certificates.

What is a Certificate Authority (CA)?

A Certificate Authority is the trusted entity that issues digital certificates. Public CAs (such as DigiCert, Sectigo, or Let's Encrypt) issue certificates for publicly facing services. Private CAs (such as Microsoft AD CS or EJBCA) issue certificates for internal systems, users, and devices. Most enterprises use both.

What protocols do CLM platforms use?

CLM platforms interact with CAs through protocols including ACME, EST, CMP, and SCEP. Each serves different environments. ACME is the default for automated TLS certificate management, EST suits device enrolment, CMP handles complex enterprise operations, and SCEP supports Microsoft and MDM environments. See our protocol comparison guide.

Do the 47-day certificate rules apply to internal certificates?

No. The CA/Browser Forum rules apply only to publicly trusted TLS certificates. Internal PKI certificates issued by your own Certificate Authorities are not subject to these requirements. However, many organisations are choosing to align internal practices with external standards to improve consistency and reduce operational risk.

How does CLM support zero trust?

Zero trust architectures require cryptographic proof of identity for every access request. CLM ensures that the certificates providing this proof are always valid, correctly configured, and promptly replaced when compromised. Without effective CLM, zero trust implementations cannot maintain the certificate hygiene they depend on.

What is crypto agility and why does it matter for CLM?

Crypto agility is the organisational capability to transition between cryptographic algorithms quickly and with minimal disruption. As post-quantum cryptography standards mature, organisations will need to replace the algorithms their certificates currently use. CLM platforms that support crypto agility allow this transition to happen systematically rather than as a crisis response.

What is the difference between CLM and a Certificate Authority?

A Certificate Authority issues certificates. A CLM platform manages certificates across their entire lifecycle, regardless of which CA issued them. Most enterprise environments use certificates from multiple CAs, and a CLM platform provides a single pane of glass across all of them.

How do I know if my organisation needs CLM?

If any of the following apply, your organisation needs CLM: you have experienced certificate-related outages; you do not have a complete inventory of all certificates in your environment; certificates are managed by multiple teams with no central oversight; you rely on manual processes for renewal; you are preparing for shorter TLS certificate lifetimes; or you need to comply with regulatory requirements around certificate governance. A PKI health check is typically the best starting point for understanding your current position.

How long does a CLM implementation take?

Implementation timelines vary depending on the platform and the complexity of your environment. A basic deployment covering discovery and monitoring can be operational within weeks. A full enterprise implementation with automation, policy enforcement, and integration with existing security tools typically takes two to six months. Professional services from the vendor or from a specialist like Unsung significantly accelerate this timeline.

‍