Analysis
Step 1: Specify Objectives to Prioritize Features
When looking at a new PKI provider or considering an investment in CLM tooling, start by identifying the “why.” Are there specific challenges you are trying to overcome? Are there specific features you are lacking?
For PKI, this will link directly with requirements definition in Step 4. For CLM, there are different solutions available for different requirements and some that can satisfy a multitude of requirements in one product.
Take time to define and prioritize the objectives that are driving the activity and map them to related features. This will ensure you target the right solutions and avoid both costly scope creep and overlooking solutions already within your grasp.
Some example CLM objectives and related features are provided in Figure 2. Use this matrix as a guide for assessing individual objectives, prioritizing the key capabilities and driving your sourcing and architectural decisions.
Figure 2: Example CLM Objectives/Features Matrix

In a broader context, certificate use cases are expanding, certificate environments are becoming more complex and dynamic,1,2 and certificate validities are shortening (see Note 1).3,4,5,6 With a growing focus on resilience and threats posed to certificates by quantum computers (see Note 2),7 regulators are starting to demand better crypto visibility and agility so that certificates can be tracked and maintained seamlessly (see Note 3).8,9
Visibility, agility and the ability to operate at scale should be at the core of Step 1.
Step 2: Define Use Cases, Trust Boundaries and the Operating Model
PKI can be used to support a vast and varied number of use cases, across which CLM capabilities and approaches can vary. Therefore, once you understand the “why,” it is important to define the “what.”
Define PKI Use Cases
PKI is used for authentication, encryption and signing across workload, device and human use cases, both publicly and privately. All PKI use cases across the organization should be considered when reassessing PKI and CLM strategies. This will ensure a PKI buying strategy that works holistically across your estate and a consistent approach to CLM across all PKIs.
If visibility of all PKIs is limited, include discovery and/or PKI posture management as a key feature in Step 1 and define the priority use cases that are driving the activity. Priority use cases will include those that cause significant challenges, incorporate the most certificates or represent the quickest wins.
Define PKI Trust Boundaries
Strike a balance between the simplicity of operating one PKI for all certificate use cases and the segregation offered by multiple PKIs. Use this process as an opportunity to reassess and redraw PKI trust boundaries and determine the strategic PKIs required across all use cases.
When completing this exercise, apply the basic principles shown in Figure 3 alongside any organization-specific requirements.
Figure 3: Basic Principles for Defining PKI Trust Boundaries

Define the Operating Model
The new operating model should be defined in accordance with the centralized/decentralized security (CeDeSec) trend, which stipulates centralized governance and control for decentralized use. CLM tooling can support the CeDeSec operating model by providing a single policy-based orchestration framework for all CLM workflows across multiple PKIs. Orchestration enables organizations to diverge from attempts to centralize everything into one PKI hierarchy and, instead, support the PKI boundaries defined earlier in this step while still providing centralized control.
Certificate authority (CA) trust can change over time, so it is important to establish a CA-agnostic strategy. CLM tooling can support this.
As the operating model is redefined, analyze changes to ways of working and new processes that may be introduced; for example:
Manual to automated processing
Decentralized to single-pane-of-glass management
On-premises to “as a service” (aaS) deployment
Introduction of self-service capabilities
New governance processes
New or changed infrastructure components
New or changed support models
New RACI (responsible, accountable, consulted and informed) matrices
The outcome of this analysis allows the strategic direction to be challenged early on, based on any issues raised. It also allows related requirements to be built into PKI/CLM requirements in Step 4, such as automation integrations, role-based access controls, support model requirements and new aaS connectivity
Note that a PKI as a service (PKIaaS) or CLM as a service (CLMaaS) operating model is not right for everyone. Figure 4 shows the pros and cons of PKIaaS/CLMaaS across multiple categories, with related recommendations to support the final decision making during operating model definition.
Figure 4: Determining Whether PKIaaS/CLMaaS Is Right For You

Step 3: Evaluate Vendor Trends to Create a Roadmap
The vast use of certificates and the security mechanisms they underpin necessitate a long-term strategy that must account for related vendor trends. Evaluating the vendor landscape will guide your PKI and CLM sourcing strategy and roadmap to help support the “when” in terms of capability adoption.
An increasing number of vendors provide solutions for PKI and CLM with evidence of supplier convergence.10,11,12 Figure 5 shows some example vendors and an array of different capabilities that now intersect across them.
Figure 5: Example PKI/CLM Vendors and Capabilities Expansion

Individual vendor capabilities vary in terms of breadth and depth. Some vendors focus on broader use case coverage and branch into wider trust capabilities or asset types such as code signing, document signing, DNS trust, SMIME, SSH keys, secrets and privileged access management. Some vendors provide deeper CLM coverage; for example, providing more intelligent analytics on the certificates discovered and related vulnerabilities, or more comprehensive automation capabilities. Some vendors offer a small subset of relevant features such as certificate discovery.
Several key decisions must be made at this point to drive the sourcing strategy and roadmap definition:
Vendor rationalization versus best in class: Targeting one vendor for multiple use cases supports a vendor rationalization strategy and, in some cases, single-pane-of-glass control. However, it risks compromising on wider features across all use cases and adds supply chain risk in the event of issues with the single supplier. Use priority features defined in Step 1 to guide this decision.
Separating versus combining trust (PKI) and management (CLM): Opting to separate or combine trust and management is a subset of the vendor rationalization decision. Assess the impact of PKI distrust and whether this has a greater impact if the same vendor is also relied upon for wider CLM functionality. Note that vendors may provide PKI and CLM as separate services.
Quick wins from existing vendors: In many cases, incumbent vendors may offer a quick route to new PKI/CLM capabilities (e.g., by expanding use of an existing ITSM or scanning tool to incorporate CLM capabilities). Consider both tactical and strategic use of existing vendors as part of the roadmap but use priority features defined in Step 1 to guide this decision and ensure an approach that fits your needs over the long term.
The extent of discovery: Different discovery tools based on different scan types (e.g., network scans, endpoint scans) may find different (but intersecting) subsets of certificates within the estate. It is possible to combine the outputs of multiple scans to build certificate inventory accuracy, and many CLM tools have the capability to orchestrate this and run/ingest multiple scans. Depending on the existing and desired maturity level, consider the extent to which discovery will be implemented and, if using multiple scan outputs without orchestration tooling, how these will be subsequently collated and deduplicated.
Buy versus build: While vendor tooling exists, you may consider the possibility of building capabilities in-house after closer inspection of desired features, use cases and vendor solutions. Potential capabilities to build might include operating a self-hosted or open-source private PKI or developing complementary CLM capabilities such as automation scripts. Consider both tactical and long-term strategic use of self-built tooling in alignment with the desired operating model.
When implementing enterprise-level certificate life cycle management at scale across multiple PKIs and use cases, purchase of CLM tooling is likely unavoidable to deliver the capabilities required. Keep in mind that CLM vendors are also working to meet the needs of smaller, less complex environments.
Plan the delivery of objectives and priority features mapped in Step 1
Support the use cases, PKI trust boundaries and operating model defined in Step 2
Align milestones to the tactical and strategic decisions made as part of the trends evaluation here in Step 3
CLM implementation will require a phased approach, from wrestling with discovered certificates and bringing them under management, to establishing integrations and implementing automation — use case by use case.
Establish timelines against which progress can be tracked and regular reviews can be completed. Define outcome-driven metrics aligned with objectives from Step 1 to measure success. For example:
Average time for certificate issuance
Percentage of automated certificate issuance
Rolling average of automated certificate issuance
Percentage of systems/domains scanned for certificates
Number of help desk calls due to unmanaged/managed certificate expiry per month/year
Number of incidents due to unmanaged/managed certificate expiry per month/year
Average time to resolve certificate expiry-related outages
Rolling average of certificate policy exceptions (potentially broken down by severity if tooling allows)
Percentage of certificate policy exceptions remediated (potentially broken down by type, e.g., key length, algorithm or lifetime, if tooling allows)
Note that PKI and CLM initiatives are often driven by certificate visibility and agility requirements. Postquantum readiness also hinges on visibility and agility, but across all cryptography usage.
Align the strategic PKI and CLM roadmap with the broader postquantum readiness roadmap.
Step 4: Develop Detailed Requirements for RFP and POC
With the prework completed, organizations can now begin to consider which tools fit their needs.
First define the requirements for the RFP process, based on desired features, use cases, PKI trust boundaries, the operating model and the strategic roadmap.
Figure 6 shows key differentiators/requirements for PKI/CLM.
Figure 6: Key Differentiators/Requirements for PKI/CLM

Use these key differentiators to help define key categories within which organization-specific requirements can be defined. However:
Requirements definition must go beyond the high level to be effective and to ensure strategic outcomes.
For example: Many organizations define certificate automation as a key requirement and many tools support certificate automation. However, certificate automation alone does not adequately describe the requirement in a way that will facilitate evaluation and differentiation between solutions. Therefore:
Define the extent to which you want to automate: automated workflow only; automated renewal following manual issuance; or full automation including automated issuance on demand and last-mile provisioning to the endpoint.
Define the use cases for which you need automation, including specific technology products/models at specific versions that you must integrate with.
Align with expectations about where and how certificate signing requests are created, and where and how issued certificates are delivered.
Another example is requirements for discovery and inventory. Discovery and inventory are standard features in CLM tooling. However, the scope of discovery and the extent to which you need to or can understand certificate issues, ownership, related business processes and related business impacts from the inventory may vary. Related requirements should be explicitly defined to adequately assess options.
These examples also highlight the importance of a POC once you have shortlisted solutions, particularly for CLM, to validate that solutions meet expectations.
During CLM evaluation, POC is critical to align paper-based assessments with the realities of operation. Spend extra time assessing automation capabilities, discovery/inventory/assessment mechanisms and support for non-standard-based life cycle management.
Step 5: Optimize Effort and Assess Cost to Influence TCO
To complete the buying process and confirm how you will proceed, you must decide how you will staff the deployment and negotiate the deal.
Factor in the following to optimize the adoption and maintenance effort:
Machine identity working group: Since no single team has the expertise and reach to govern and manage all certificate types, redefine the RACI model within the scope of a machine identity working group. Define policy, and enforce that policy through compliance processes spanning the applicable PKI and CLM use cases and tools.
Ownership: As part of the RACI definition, define ownership across PKIs, CLM tooling and certificates/keys. Typically, different PKIs will be owned by either the security function (who are experts at key management, or they manage the relationship with aaS vendors who are) or the technology function who owns the related service (e.g., Active Directory team supporting Microsoft Active Directory Certificate Services). CLM will usually be owned by the security function (who understands and sets cryptography policy). Certificates and keys will generally be owned by the consuming service or endpoint admin (who would be impacted by expiry and/or have access to administer certificates and therefore take responsibility for life cycle management).
Resource/skills: Adoption of new tooling will require resources and may change the skills required (e.g., if moving from a manual, process-driven model to an automated model). Any new resources or skills should be identified in Step 2 and ease of implementation should be considered in Step 4. At this final stage, factor in the necessary skills uplift as part of decision making and plan for the changes required (e.g., training, recruitment).
Support provided: Vendors may differ in the level of support they provide as standard (e.g., allocation of customer success managers) and the support available at extra cost (e.g., professional services for customised automation). Assess your unique needs in successfully deploying and managing new products and factor vendor support for these into buying decisions.
New processes: The adoption of new tooling may facilitate or require new processes (e.g., a new governance process for certificate compliance or a service to monitor local/low latency business unit-owned or cloud-native PKIs). Factor this in ahead of time and ensure that all processes related to the new tooling are defined, since a well-established process is key for success and ensuring the tooling is used as intended. Then, evaluate tools based on their support for these processes.
As you evaluate the deal, consider the following:
Cost models: Vendors may differ in the cost models they apply (ELAs, per certificate, per action, etc.). PKI vendors may also have different charging models for things like SAN and wildcard certificate usage. Evaluate the best deal based on your unique certificate usage. Look out for licensing models that allow for cost overrun or could impact cost control to avoid future issues.
Customer profile: Vendors differ in terms of customer profile “fit.” Some vendors might lend themselves to large organizations with high complexity or high certificate volumes, while others might be aimed more toward standard use cases and lower complexity. Some vendors may also have specific offerings for small and midsize businesses (sometimes called “lite” offerings) to provide a tiered service. Factor this into decision making to ensure the right fit.
Vendor lock-in: Assess the deal for any clauses that might impact vendor lock-n; for example, certificate revocation in the event of PKI contract termination (this is to be avoided) or use of proprietary integrations. For both PKI/CLM, factor into contract lengths and future contract renegotiation timescales the potential requirement for — or impact of — future migration.
Finally, don’t expect ROI to be achieved overnight. Existing systems may need to run alongside new systems as you make the transition (e.g., operating existing and new PKIs as you transition from one to the other, or operating manual processes alongside automation). Factor this into financial planning. However, you can also factor in cost avoidance (e.g., certificate outage costs).