XELANED
DE|EN
Get in touch

PKI & CLM

For reliable certificate operations

Certificates are a core security and trust element for modern IT infrastructures—from TLS operations and identities to signatures. A Public Key Infrastructure (PKI) provides the technical and organizational foundations for issuing, managing, and validating certificates. Certificate Lifecycle Management (CLM) extends this with standardized processes and automation for requests, rollout, renewal, revocation, inventory, monitoring, and audit evidence across the entire lifecycle.
In practice, reliability does not result from individual certificates, but from a resilient interplay of policies, automation, transparency (inventory/monitoring), and an operational target model (roles, logging, HA/DR). That is exactly why we always consider PKI and CLM together.

Inventory & Transparency

Inventory, ownership, validity periods, dependencies, and risks as the foundation for governance and audit.

Automated Rollout

Standardized provisioning and renewal across platforms and protocols (e.g., ACME, EST, SCEP, CMP).

Operations & Evidence

Logging, roles, HSM integration, HA/DR, and defined processes for stable, auditable operations.

History of PKI – from Certificate to Platform

Over the past decades, PKI has evolved from isolated certificates for specialized use cases into a central infrastructure building block. The historical context helps classify today’s architectural decisions and the role of CLM more effectively.

1970s to 1990s

Cryptography & Early Standards
Asymmetric cryptography (e.g., RSA) and standards such as X.509 laid the foundation for trustworthy digital identities. In this phase, the first certificate hierarchies and protocols such as SSL/TLS emerged, primarily for securing web connections.
  • 1970s/80s
    Foundations of public-key cryptography; first research PKIs.
  • Late 1980s
    X.509 as the base format for certificates and directory services.
  • 1990s
    SSL/TLS and the first public CAs for secure web connections.

2000s

Enterprise PKI & Identity Integration
Organizations establish their own CAs, directory services, and policies. PKI becomes part of the infrastructure—closely integrated with Active Directory, VPN, WLAN/NAC, email encryption, and smart cards.
  • Enterprise‑CAs
    Building internal root/sub CAs incl. policies and CPS
  • PKI for Users & Devices
    User, computer, and device certificates for login, VPN, WLAN, and email
  • Governance
    Introduction of validity periods, algorithms, namespaces, and operational processes

2010s to today

Automation, CLM & Cloud
With cloud, DevOps, IoT, and zero trust, the number of certificates has grown explosively. Manual management is no longer practical—PKI becomes a platform and CLM the central control layer for policies, protocols, and integrations.
  • Automation
    Use of protocols such as ACME, EST, SCEP, CMP, and APIs for large-scale issuance
  • Multi‑CA & Hybrid
    Combination of internal CAs, public CAs, and cloud PKI services
  • CLM platforms
    Central inventory, policy engine, workflows, and integrations—the foundation for NIS2, DORA, and KRITIS evidence

Integrations & Rollout Protocols

Standard protocols (ACME, EST, SCEP, CMP), APIs, and connectors enable reliable rollout—including defined reload/restart steps and an audit trail.

Endpoints & Workloads

  • Web + Apps
    NGINX, Apache, IIS, Ingress, Service Mesh
  • Network
    Load Balancer, WAF, Gateways, Appliances
  • Clients + Devices
    Managed Endpoints, MDM, IoT/OT
  • Signatures
    Code Signing, Document signatures

CLM Control Plane

  • Portal + REST API
    Automation‑First
  • Profiles + Templates
    SAN, Key Usage, Validity Period
  • Workflows
    Approvals, Delegation, Escalation
  • Monitoring
    Alerts, Reports, SIEM/ITSM

CAs & Key Protection

  • Private + Public CAs
    e.g., AD CS or managed PKI
  • HSMs + Vaults
    BYOK, HYOK possible
  • Policy-driven key generation

Protocols at a Glance

In practice, a mix of protocols is often used: ACME for web/cloud workloads, EST for managed devices, SCEP for legacy/MDM scenarios, and CMP for classical PKI environments. What matters is a consistent policy layer across all enrollment paths.

ACME

  • Suitable for (TLS in web/cloud/Kubernetes)
  • Auto-renewal with accounts/policies
  • Typical (ingress controller, service mesh, LB)
  • CLM value-add (central visibility + guardrails)

EST

  • Suitable for (enterprise devices, network equipment)
  • Enrollment via TLS/SSL
  • Typical (device groups & standard templates)
  • CLM value-add (device policy, reporting, audit)

SCEP

  • Suitable for (legacy integrations (MDM, appliances))
  • Broadly supported, often less flexible than EST
  • Important (clear policy boundaries and logging)
  • CLM value-add (governance + inventory as a safety net)

CMP

  • Suitable for (classical PKI & more complex flows)
  • Management/enrollment scenarios in PKI-heavy environments
  • Often used in regulated environments
  • CLM value-add (workflow orchestration + policy layer)

Practical Note: Protocol Strategy

Define a standard path per platform (e.g., ACME for K8s, EST for devices) and keep exceptions small. This makes renewal and rollout predictable—including consistent audit reports.

Quantum‑Safe Readiness (PQC)

Post-quantum cryptography is not a “single switch.” It is a program: transparency, crypto agility, test scenarios, and controlled migration—often in hybrid phases.

PQC Inventory & Risk View

Identify affected certificates, algorithms, and trust paths—and prioritize migration by criticality and dependencies.
Crypto‑VisibilityHybridPrioritization

Test → Introduce → Enforce

Build a pipeline for PQC scenarios: staging CAs, pilot workloads, policy enforcement, and rollback options.
LabsPoliciesRollout

Operating Models: On-Premises, SaaS, and Cloud

In operations, three questions are typically decisive: Who runs the control plane (CLM), who runs the CA(s), and where is the key material stored (e.g., on-prem HSM vs. CloudHSM)? Below is a comparison of common models, including advantages and disadvantages.

On‑Premises

CLM/PKI services, CA infrastructure, and HSM hardware in your own data center. Maximum control over networks, roles, and key processes.
SovereigntyAuditabilityAir-Gap

SaaS

CLM platform as SaaS with fast integrations and API-first workflows. Key custody via BYOK/HYOK models, dedicated options, or external key stores.
Time-to-ValueOperational EffortAPI‑First

Cloud

HSM-backed key services at the hyperscaler (managed/dedicated). Particularly suitable for cloud-native workloads and global scale—provided tenancy/sovereignty requirements are clear.
Cloud‑nativeManaged KeysGlobal Scale

Options Compared (Quick Matrix)

CRITERIONON‑PREMISESAASCLOUD
ControlVery high (networks, HSM, CA, policies)Medium (control plane with provider; integrations with you)Medium to high (depending on service: managed vs. dedicated)
Time‑to‑ValueOften longer (procurement, hardening, HA)Very short (onboarding, APIs, templates)Short to medium (services are fast; networks/policies must be considered)
Ops EffortHigh (patching, backups, HA, lifecycle)Low (platform operations handled by provider)Low to medium (managed low, dedicated higher)
Key‑SovereigntyMaximumVaries (BYOK/HYOK, dedicated options)Varies (tenancy/regions/export policies)
ScalabilityCapacity-boundVery good (platform scales)Very good (global; regions/AZs)
Suitable forKRITIS/high-assurance, OT/legacy, strict isolationBroad automation, many teams/workloadsCloud-native apps, short validity periods, DevOps

The CLM Process (End-to-End)

An end-to-end, audit-proof certificate process—regardless of which CA is used. The key is consistent control across inventory, policies, automation, and operations—from request to renewal.

Lifecycle Steps

  1. 1
    Discover
    Identify certificates and keys in CAs, endpoints, clouds, and stores.
  2. 2
    Classify
    Assign owner, app, environment, criticality, and compliance class.
  3. 3
    Automate
    Enrollment & renewal via protocols/agents/orchestrators.
  4. 4
    Protect
    Generate keys securely and store them in HSMs/key vaults.
  5. 5
    Govern
    RBAC, approvals, policies, audit trail, SIEM/ITSM integration.

Outcome

You always have transparency into which certificates exist, where they are used, who is responsible, and when automated actions take effect. This reduces outages, improves security, and establishes traceable governance.

What would you like to do next?

XELANED’s specialists are available at any time to support your next steps. Together, we prioritize topics, clarify dependencies, and choose an approach that fits your environment both technically and organizationally.

Build Knowledge

In a compact workshop, we clarify goals, the current state, and the next steps.
Book a workshop

Project Planning

We discuss scope and dependencies and create a robust implementation plan.
Get in touch