When you don’t have a solid grip on Public Key Infrastructure (PKI), things break fast and often without warning.
As your business grows, so does your infrastructure and your public key footprint. Without centralized oversight, key sprawl becomes inevitable. And with that comes visibility gaps, inconsistent revocation processes, growing operational risk, and a high possibility of a breach.
CISOs and IT leaders must stop treating PKI as a back-end task and start recognizing it as a critical layer of enterprise security. Prioritizing strong key hygiene doesn’t just reduce operational risk, it also protects customer trust and positions your organization for long-term resilience.
Consider the Microsoft breach disclosed in June 2023. It originated in 2021, when a crash dump from a Microsoft consumer signing system unintentionally included a cryptographic key used for signing authentication tokens. Due to improper security scanning and storage practices, the dump was later accessed from an internet-connected environment. Attackers then retrieved the key and used it to forge valid JSON Web Tokens (JWTs), allowing them to bypass Microsoft’s authentication systems, impersonate users, and gain unauthorized access to Microsoft 365 services.
Even after Microsoft invalidated the key, some access persisted due to long-lived tokens that weren’t properly tracked or revoked. This extended the attack window and increased the risk of lateral movement across cloud environments.
Most engineers and security teams understand the importance of public keys, so why does mismanagement still happen?
Here’s Why It Happens
Fragmented ownership and shadow IT
The question of who owns public keys and certificates has been debated for years, especially in companies without a dedicated PKI team
Some developers argue that the network admin should purchase and manage SSL certificates, then hand them off to the web developer to install. Others say web devs shouldn’t touch public keys with a 10-foot pole because “it’s not part of their core skills.”
Then there are folks who insist it’s a DevOps or sysadmin responsibility, while some argue it’s too critical to leave to anyone but the office of the CTO or CISO.
This ambiguity creates institutional risk. When the one person informally responsible leaves, no one knows which certificates are expiring, which are obsolete, or where keys are stored. This results in broken trust chains, disrupted services, and rushed recovery efforts.
Manual tracking and incomplete inventories
Some IT and security teams still rely on Google Calendar, Excel spreadsheets, Snipe-IT, homemade PowerShell scripts, IT Glue, and even scheduled help desk tickets to track and manage public keys and certificates. This approach may have been feasible when certificates lasted two or three years and companies only managed a handful. But with Google proposing a 90-day certificate validity period, teams still doing this manually will be dangerously overwhelmed, and at far greater risk of public key mismanagement.
Lack of integration across cloud and on-prem systems
PKI models typically fall into three categories: all-cloud users, on-prem-only users, and hybrid users.
Some teams prefer cloud-based PKI for its scalability, automation, and reduced server maintenance. But it often introduces vendor lock-in, limited integration, and reduced control over root or intermediate certificate authorities (CAs).
On-prem PKI gives you full control over templates, key sizes, and policies. But it demands intensive manual upkeep, specialized staff, and resilient infrastructure.
Then there’s the hybrid model, cloud + on-prem, which some users believe is the most logical middle ground. But the hybrid model poses complex integration challenges.
For example, if 802.1X certificates expire in 10 hours but the Certificate Revocation List (CRL) updates every 12 hours, a timing gap emerges. In hybrid setups that rely on CRL or OCSP to validate certificates, revoked certificates may still be trusted, introducing avoidable risk.
Similarly, issuing certificates on-prem while managing devices in the cloud often requires exposing internal PKI components—such as CRLs or OCSP responders—to the internet. This adds complexity and expands the attack surface. Even with strict isolation, limited visibility, and manual processes, create blind spots and slow response times.
The Hidden Costs of Public Key Mismanagement
For most companies, the damage from mismanaging a public key can be categorized in three ways:
Direct Costs (Immediate & Measurable Losses)
When a key or certificate expires or is misconfigured, critical systems like websites, APIs, VPNs, or authentication services can go down. Internal teams lose access to tools, files, or workflows tied to expired or revoked keys, grinding productivity to a halt until the issue is resolved.
In industries including e-commerce or finance, every minute of downtime can cost thousands to millions of dollars. Also, it triggers emergency remediation action, which can burn hours of high-cost professional services.
Indirect Costs (Longer-term business impact)
Untracked or misused keys violate security and privacy regulations like PCI-DSS, HIPAA, or GDPR. This could lead to regulatory fines.
Moreover, customers, investors, and partners see mismanaged keys, expired certificates, or outages as signs of weak security hygiene. Which can erode trust, especially after a public incident.
Opportunity Costs (Missed strategic advantages)
Manually handling certs is a leading cause of public key mismanagement, and it slows down CI/CD pipelines and cloud adoption. Causing engineers to spend time renewing certs, chasing down key locations, or debugging PKI issues, instead of pushing code or launching features. Also, an unreliable PKI threatens potential technology investments & partnerships
Principles of Effective Public Key Management
Centralized Key and Certificate Visibility
Without a central inventory, your team risks losing track of certificates scattered across cloud workloads, containers, user endpoints, and third-party systems. Shadow certs quietly expire, unauthorized keys get reused, and revocation processes become guesswork.
Centralizing visibility:
- Creates a single source of truth for every active key and certificate in the environment
- Enables real-time monitoring to detect misconfigurations or anomalies early
- Improves audit capabilities to satisfy compliance requirements
This foundation enables faster response during incidents and reduces risk of untracked certs or unmanaged keys leaking into CI/CD pipelines.
Automate Certificate Lifecycle Management
Manual certificate handling doesn’t scale. Relying on engineers or sysadmins to renew, revoke, or deploy certs introduces human error, operational delays, and even expiration-driven outages.
That’s where automation comes in.
Automatic certificate lifecycle management tools like Keyfactor Command take the burden off individual teams and reduce the risk of downtime. By automating the issuance, renewal, and revocation of certificates, you can:
- Ensure timely issuance, renewal, and revocation without manual intervention.
- Reduce outages caused by forgotten or misconfigured certificates.
- Free up your engineering and security teams to focus on higher-value tasks.
Automation also enforces consistent policy, eliminates weak configurations, and improves overall cryptographic hygiene across environments.
Implement Crypto-Agile Policies
Static, hardcoded cryptography can leave your systems vulnerable when algorithms get deprecated or compromised.
Crypto-agility means being able to adapt quickly by deploying new or multiple algorithms. It requires:
- Systems that can swap out algorithms or key sizes without needing a full redesign
- The ability to avoid lock-in to outdated tools or libraries
- Compliance with regulatory requirements as they shift toward stronger encryption protocols.
Mandate algorithm flexibility in your key usage policies and insist vendors support crypto-agile capabilities. This enhances your organization’s resilience to adapt to future threats and risks.
Public Key Mismanagement = Business Risk
Mismanaging public keys isn’t just a technical oversight; it’s a business risk. When organizations lack visibility, automation, and governance across their PKI, they open the door to outages, compliance failures, and reputational damage that could’ve been avoided. That’s why CISOs and IT leaders must recognize that this is a critical layer of enterprise security. Prioritizing strong key hygiene reduces operational risk, maintains customer trust, and positions your organization for long-term resilience.
