Certificate sprawl and 90-minute provisioning: what IAM teams need

TL;DR: Certificate provisioning is averaging 90 minutes per certificate, while automation can cut that to two minutes, support 16x certificate growth with the same staff, and contribute to a 356% ROI and $9.9 million NPV over three years, according to Keyfactor. The governance issue is no longer certificate handling speed alone, but whether identity programmes can scale machine trust without multiplying manual error and outage risk.

NHIMG editorial — based on content published by Keyfactor: 5 Numbers from the Forrester TEI That Should Change How You Think About PKI

By the numbers:

• Provisioning certificates takes an average of 90 minutes per certificate.
• Automation can cut certificate provisioning from 90 minutes to two minutes.

Questions worth separating out

Q: How should security teams reduce certificate management overhead in cloud environments?

A: Security teams should centralise certificate inventory, assign explicit owners, and automate issuance and renewal where the deployment path is well understood.

Q: Why do manual certificate processes create security risk?

A: Manual certificate processes create risk because they depend on humans noticing expiry, following the right approval path, and deploying the certificate correctly every time.

Q: What breaks when certificate visibility is incomplete?

A: When certificate visibility is incomplete, teams lose the ability to detect expiry risk early, confirm ownership, and prioritise renewals by business impact.

Practitioner guidance

• Map certificate ownership to named business services Inventory every certificate with an accountable owner, deployment target, and expiry date so renewal and incident triage do not depend on tribal knowledge.
• Automate renewals only after deployment visibility is in place Use workflow automation for low-risk certificates first, but require clear metadata on installation status, approval path, and exception handling for higher-impact certificates.
• Reduce manual certificate handling in high-churn environments Prioritise workloads, AI pipelines, and service accounts where certificate volume is growing fastest and manual provisioning is already consuming staff time.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The full TEI breakdown behind the 356% ROI and $9.9 million NPV figures.
• The workflow logic behind 90-minute manual provisioning and two-minute automated provisioning.
• The scale assumptions behind 16x certificate growth with the same staff.
• The infrastructure consolidation discussion behind retiring 70+ servers.

👉 Read Keyfactor's analysis of the Forrester TEI findings on PKI automation →

Certificate sprawl and 90-minute provisioning: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →