Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

How to Make the Business Case for Certificate Lifecycle Automation

SSL/TLS Certificates

Monday morning rolls in, you grab a coffee to start the day. Let’s face it, you’ll need it. 

If you’re on the PKI team (or a lonely team of one), keeping up with certificate requests, chasing down application owners, and renewing certificates before they expire is just another day in the life.

There are a few ways you may be tackling the problem. Most opt for spreadsheet-based tracking. The PKI team maintains and updates the spreadsheet, and regularly checks in for renewals. Some use tools provided by their CAs. Homegrown scripts may even provide some level of automation. 

Shifting from Manual to Automated  

If you’re reading this blog, though, you’ve probably realized this toolset only takes you so far.  

It’s not just time-consuming, it’s frustrating. Application teams forget about their certificates, ignore notifications, and regularly fail to install them correctly. They may even stand up their own CA and start issuing certificates without your knowledge (this happens A LOT). Meanwhile, you’re on the hook when an expired or corrupted certificate brings down an application.  

Bottom line: you need to get certificate management under control.  

That’s where certificate lifecycle automation tools come in. They’re built to break you out of manual processes by providing things like discovery of all known (and unknown) certificates, expiration alerting, centralized reporting and automated lifecycle handling. 

However, making the case for certificate automation up the chain of command is never easy. There are at least a dozen other IT projects on the docket, so how do you build a business case that sticks? 

5 Steps to Build Your Business Case

Here are five (albeit simplified) steps to create a compelling business case for improving your certificate management maturity from manual to automated. 

  1. Bring in the A-Team

    If you’re responsible for running PKI in the organization, you typically don’t control or manage the certificates issued from it – your system and network admins do. But the teams that cause you the most pain can be your biggest asset here. Figure how they’re getting certificates (from an authorized CA or elsewhere) and how much time it takes them to provision, install and renew those certificates on their devices and applications.
  2. Map it out & identify your gaps

    Take what you’ve learned and map it out. Nothing is more powerful than a whiteboard session with your A-Team. Take time to map out your CA infrastructure, applications, and certificate request, issuance and renewal workflows. Once you get the process out of your head and onto a whiteboard, you’ll be able to quickly identify gaps and inefficiencies.
  3. Define your project requirements

    Now that you’ve identified the problem, it’s time to outline your success criteria, core capabilities of an ideal solution, and how that can be accomplished using existing in-house resources vs a new product. Don’t limit your requirements to a single use case (we see this far too often with PKI teams). Think about all of your certificate needs now and into the future.
  4. Know what you’re up against

    According to Gartner analysts, “Security and risk management leaders are often unaware of the scope or status of their X.509 certificate deployments.”* These unknowns leave you unequipped to do your job. Even if you haven’t experienced a SEV1 outage, you need to clearly communicate the risks and operational costs of outages  or certificate vulnerabilities in your network. 
  5. Nail the ROI 

    Don’t let budget be a blocker. Define the cost of buying a solution vs delaying the project. If you invest in certificate lifecycle automation today, how much will it save over the next five years? How much productivity is lost by delaying to next year? If you’re trying to break free from hours of manual work spent on managing certificates, this is the key to your success. 

How to Measure the ROI of Certificate Lifecycle Automation

According to Gartner, organizations that deploy certificate management tools will suffer 90% fewer certificate-related issues and spend half the time managing these issues.* That said, translating risk into dollars and cents isn’t easy.   

Here are some real examples of metrics that our customers used to measure ROI and make the business case for certificate lifecycle automation. 

Outages/Downtime 

  • Inaction: Estimate the revenue loss of website or application downtime per hour and loss of IT resources to remediate the issue (e.g. # of IT/PKI admins x salary/hour x 4-8 hours).  
  • Action: Certificate lifecycle automation tools allow you to prevent outages with certificate discovery, continuous monitoring, and expiration alerts to renew certificates before they expire.

Certificate Requests 

  • Inaction: Estimate the number of hours per week you/your team spend fulfilling certificate requests and tracking inventory (e.g. # of people x salary/hour x 2-3 hours per week). 
  • Action: Self-service portals and APIs can dramatically reduce time delays between certificate requests and issuance. It also doesn’t hurt to track all certificates from a single dashboard. 

Certificate Provisioning 

  • Inaction: Estimate the number of hours per week that network/system admins would rather not spend installing/verifying certificates on devices (e.g. 10-15 min/certificate x # of F5 devices). 
  • Action: Automation workflows issuance, renewal, provisioning and binding of certificates to the right locations can reduce or altogether eliminate manual steps in the process. 

Get Started

Not sure where to begin? Use this certificate management maturity model to identify where you are today, and the practical steps you can take to get where you need to be. 

*Technology Insights for X.509 Certificate Management, October 2019, David Mahdi, David Collinson (Gartner)