Notifications
Clear all
Topic starter
25/06/2026 2:43 pm
TL;DR: Manual certificate tracking breaks down as certificate volumes grow across cloud, DevOps, and IoT, leaving organisations exposed to expirations, outages, audit gaps, and compliance failures, according to Keyfactor. The core issue is not the spreadsheet itself but the governance model behind it: certificate visibility, ownership, and renewal now require automation to remain reliable at scale.
NHIMG editorial — based on content published by Keyfactor: Out of Gas on Manual Tracking? Refuel with Automation
Questions worth separating out
Q: How should teams replace manual certificate tracking without losing control?
A: Start with a verified inventory across every CA, platform, and environment.
Q: When does manual certificate management become a material risk?
A: It becomes material as soon as the certificate estate outgrows what one team can reliably see and maintain.
Q: What do teams get wrong about certificate automation?
A: They often treat it as a convenience upgrade instead of a resilience control.
Practitioner guidance
- Build a complete certificate inventory first Aggregate certificates across public and private CAs, cloud services, DevOps pipelines, and IoT estates so renewal, ownership, and revocation are based on verified data rather than spreadsheet entries.
- Automate lifecycle events end to end Implement automated issuance, renewal, binding, and revocation workflows for certificates that support business-critical services, then test that alerts fire before expiry becomes visible to users.
- Assign ownership to systems, not memory Map each certificate to a responsible application or service owner and connect that ownership to access control and escalation paths in your ITSM process.
What's in the full article
Keyfactor's full article covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of why spreadsheet-led tracking breaks down across cloud, DevOps, and IoT certificate estates.
- A step-by-step transition plan for moving from manual renewals to automated lifecycle control across multiple certificate authorities.
- Specific feature requirements for certificate management platforms, including discovery, reporting, ITSM integration, and multi-CA support.
- Examples of how organisations can pilot automation in one domain before expanding across the enterprise.
👉 Read Keyfactor's analysis of why manual certificate tracking no longer scales →
Manual certificate tracking is failing, what should IAM teams do?
Explore further
25/06/2026 3:50 pm
Manual certificate tracking is a trust governance failure, not an administrative inconvenience. When ownership, expiry, and usage are recorded in spreadsheets, the organisation is already operating with partial visibility. That means certificates can outlive their tracking state, and governance cannot prove what it does not continuously observe. The practitioner conclusion is simple: trust controls that depend on human memory do not scale with modern certificate volume.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How should certificate governance support cryptoagility?
A: Certificate governance should make cryptographic changes executable without service disruption. That means automated discovery, policy-based renewal, and reliable revocation paths that let teams replace trust components quickly when algorithms, standards, or business requirements change. Without that operational layer, cryptoagility remains a strategy deck concept rather than a working control.
👉 Read our full editorial: Certificate management automation is becoming operationally mandatory
