
Certificate expiries have a way of becoming visible at the worst possible moment — a production outage, a failed customer transaction, an emergency change request at 2am. Long before that happens, though, there are usually quieter signs that certificate management has become a liability rather than a routine task.
1. Nobody Can Say Exactly How Many Certificates You Have
If the honest answer to “how many certificates does our organisation manage” is an estimate rather than a number, that’s the clearest possible sign the inventory doesn’t exist in any reliable form — and everything downstream of it, including expiry tracking, is built on guesswork.
2. Renewal Is a Manual, Person-Dependent Process
If certificate renewal depends on a specific person remembering, a calendar reminder, or a ticket queue that occasionally gets missed, the process has no real resilience. The organisations that get burned by expiries are almost always the ones relying on human memory rather than automation.
3. Certificates Outlive the Systems or Teams That Requested Them
A certificate issued for a project that’s since been decommissioned, or owned by someone who left the organisation two years ago, is a certificate nobody is actively managing — and often nobody notices until it becomes a problem.
4. Key Lengths and Algorithms Vary Wildly Across the Estate
Inconsistent cryptographic standards — some services on modern configurations, others still running defaults set years ago — is a strong indicator that certificate issuance has never been centrally governed, which makes both security posture and migration planning far harder than they need to be.
5. “Rotate the Keys” Is Treated as a Major Project, Not a Routine Operation
In a well-automated environment, rotating a key or certificate is a non-event. If it instead requires a change-management process, cross-team coordination, and contingency planning every time, that’s a sign the underlying lifecycle isn’t automated — and it will become the bottleneck the moment a larger migration, like a post-quantum transition, requires touching every certificate in the estate.
Why This Matters Beyond Day-to-Day Operations
Manual certificate and key management isn’t just an operational inconvenience — it’s consistently the single most common reason cryptographic migration timelines slip. Automating certificate lifecycle management before a large-scale migration begins removes a bottleneck that would otherwise gate everything else.