SSL Certificate Management Tools

AaronFaby · ‎09-01-2020

Hi all,

Now that SSL/TLS certificates will have shorter lifespans, managing all of the certs that are in use by an organization is going to be even more important.

I wanted to see what everyone is using to automate the discovery and management of certificates. I am aware of Venafi, but was looking for some alternatives or perhaps some open source options.

Thanks!

tmekelburg1 · ‎09-02-2020

I don't use this personally because we have so few but I do have a lot of colleagues that use PRTG to monitor their TLS/SSL certs. It's a full blown network monitoring tool that can monitor way more than just certs but they found it greatly helped with keeping track of cert expiration.

erika_12 · ‎10-08-2025

The certificate management is the process of acquiring, deploying, monitoring, renewing, and revoking digital certificates. Today’s businesses aren’t just running a single website anymore. You’re managing cloud applications, mobile platforms, IoT devices, internal services, third-party integrations, and every single one of them depends on digital certificates for secure communication. As your organisation grows, the number of certificates grows too fast. If you’re in a regulated industry (finance, healthcare, eCommerce, etc.), poor certificate management can mean non-compliance. You need to meet and follow standards such as PCI DSS, HIPAA, and ISO 27001. Hope it helps!

Caute_cautim · ‎10-11-2025

HI All

Not sure why you are still referring to SSL certificates these were redundant once TLS V1.0 came into force. What you should be doing right now putting my Post Quantum Cryptography (PQC) hat on is upgrade to TLS V1.3 immediately in preparation for PQC migration and discovery as this is becoming increasing important in 2026.

On 15 March 2026 - RSA and ECC certificates lifetime will reduce to 200 days and progressively reduce by 15 March 2029 to 47 days and domain validation of 10 days. So, put away the spreadsheet and ITSM or CMDB manual process and commence preparing for automation.

There are quite a few tools and services to do available.

You may have to some research yourselves and Proof of Concept with testing to see what is going to valid for yourselves. After the Entrust was distrusted: https://www.digicert.com/blog/key-takeaways-from-the-entrust-incident

You may have many unknown wild certificates, SSH certificates and external and internal certificates within your organisation. Certificate Lifecycle management is a three volume NIST guidance problems for everyone and as a result of manual processes could mean outages, configuration errors being caused.

With 2030 now looming and the first quantum computer on the horizon, now is the time to think and discover where your existing certificates reside within your organisation and prepare - Public Key Infrastructure (PKI) as it is know will be redundant along with many authentication and authorization techniques.

So educate, and prepare now.

Prepare for automation rather than manual processes.

Regards

Caute_Cautim

denbesten · ‎10-12-2025

Decidedly low-tech, but when you manually renew a certificate put a reminder in your calendar to renew it.

Expiration monitoring is not where your focus should be. Instead, you want to eliminate the recurring administrative overhead before it becomes even more burdensome. Google "acme certificate renewal" to learn how most certificate authorities handle the automation.

Over the past year, I have had about a 60% success rate in my company convincing the various website owners to implement Certbot or Win-Acme. I figure I will get another 20% when they have to start doing it twice (or 4 or 8 times) a year. The annoying bit will be the last 20% who's appliance can not handle automation. For those, I will likely recommend they purchase a TLS-Terminating proxy to front their appliance.

Caute_cautim · ‎10-15-2025

@denbesten I think you have to get used to apply Crypto-Agility with the forthcoming mandates from USA, Europe and Australia plus PCI-DSS and HIPAA regulatory updates for strong cryptography to be applied.

There are plenty of Hack Now, Decrypt Later (HNDL) attacks going on at the present. Certificate Lifecycle Management (CLM) will be an essential skill to apply manual intervention will not be sufficient, especially with certificates expiring literally every month (47 days) and domain validation having to be conducted every 10 days. Mistakes will be made, outages will be endured and compliance penalties will increase with frequency.

The old days of spreadsheets and manual means is fast coming to an end.

Especially in Kubernetes and CI/CD environments too, where developers often get the high level certification and security elements correct, but don't know how to enforce application security where it is needed most.

Other areas will be IoT, IoMT, SCADA, embedded devices and Smart Buildings and associated monitoring systems.

Regards

Caute_Cautim

denbesten · ‎10-16-2025

@Caute_cautim wrote:
... manual intervention will not be sufficient, especially with certificates expiring literally every month (47 days) and domain validation having to be conducted every 10 days. ...

Although this is the driver behind our ACME push, I have learned it is not yet a great motivator.

I started reaching out to our site owners about 2 months before their traditional CSR renewal. Originally, I started with "in 2029.... 47 days" and generally got the response "we're busy now; we will deal with that later.

Eventually, I learned that I got a better response by focusing on instant gratification.... Now I suggest to people that if they can get automation set up within the next month or so, we can avoid the painful manual renewal process starting this year.

denbesten · ‎10-16-2025

@AaronFaby wrote:
automate the discovery and management of certificates.

We have technical limitations (CAA records) in place to prohibit certificate issuance without prior registration. This largely reduces the need for discovery. What remains (e.g self-signed certs) is detected by our attack surface management tool.

We are now working on the next step in our maturity, by encouraging site owners to use ACME for cert issuance/renewal. Beyond significantly reducing the maintenance responsibility, it also shifts the remaining maintenance responsibility to the webmaster.

Caute_cautim · ‎10-17-2025

@denbesten You have many problems tackle PQC and Crypto Agility within the next four years - the clock is ticking.

Even this is expected to cost by heuristic about 15% of the current security budget per annum.

Let alone finding embedded devices, SCADA and various other IoT left behind and forgotten.

Hack Now Exploit Later is the current norm.

regards

Caute_Cautim

denbesten · ‎10-18-2025

@Caute_cautim , Sorry, but I'm missing the connection you are making.

I understand that certificates are signed with a hash-algorithm that likely will continue to evolve (from yesterday's MD5 to today's SHA-256 and eventually to tomorrows Dilithium). What I don't understand is how PQC impacts today's desire to develop/automate a good certificate lifecycle management program, the topic of this conversation.

If anything, I would think a stellar certificate lifecycle management is one of the few things that users and admins can do today to prepare for PQC as it creates a map of where encryption is used. And, automating certificate (and system) maintenance increases the odds one can implement new hash algorithms shortly after vendors release them.

As for SSL vs TLS, absent a version number they are synonyms.