Key Points
- Most certificate-related outages and breaches occur not because the technology fails, but because no one owns the end-to-end process.
- Centralized certificate inventories, automated renewals, and continuous monitoring eliminate the human errors that cause downtime and compliance gaps.
- Treating PKI as part of enterprise risk management, supported by clear policies, audits, and accountability, ensures reliability, compliance, and long-term trust.
Typically, the security team governs the organization’s overall PKI infrastructure. At the same time, the day-to-day management of digital certificates is delegated to a dedicated PKI operations team. This structure allows the security team to define policies, compliance standards, and trust models. The PKI team focuses on implementing these policies and issuing, renewing, and revoking certificates to maintain continuous trust across users, devices, and applications.
However, today’s networks are far more complex with managed and unmanaged devices, cloud identities, contractors, and remote users. Many organizations still treat PKI as a shared responsibility in this environment, leaving ownership fragmented and accountability unclear. The risks of unclear PKI ownership multiply during network outages caused by expired or misconfigured certificates, authentication failures, and compliance violations. Ultimately, unclear PKI ownership undermines the trust and reliability that the infrastructure is meant to protect.
Understanding the PKI Building Blocks
A PKI establishes and manages the certificate lifecycle and cryptographic key pairs used to authenticate, encrypt, and sign digital communications. It comprises multiple components, such as a Root CA, an Intermediate CA, certificate templates, revocation methods (e.g., CRL), hardware security modules, and a RADIUS server. Together, these components establish a Root of Trust (RoT) that validates and authenticates all identities within the network.
What Does PKI Ownership Mean?
A Venafi report states that 81% of organizations have experienced at least one certificate outage due to an expired certificate in the past two years. It’s an important reminder that when PKI ownership isn’t clearly defined, even one missed renewal can disrupt critical systems and expose security gaps.
PKI ownership refers to assigning clear responsibility for the entire certificate lifecycle, including issuance, renewal, revocation, monitoring, and policy enforcement. It ensures accountability for maintaining trust across every user, device, and application that relies on certificates for secure communication.PKI ownership can be viewed in two layers: governance ownership, which defines the trust model, CA policies, and compliance requirements; and operational ownership, which ensures that certificate issuance, renewal, and revocation processes are executed and monitored.
However, PKI governance often spans multiple teams. Security governs policy, IAM handles identity provisioning, Networking manages TLS and device authentication, and DevOps integrates certificates into automation workflows. This cross-functional overlap makes it easy for accountability to blur and for certificates to fall between team silos.
While PKI governance spans multiple teams, this cross-functional model is a strength when guided by clear ownership and shared objectives. The security team defines policies and trust frameworks; IAM ensures proper identity mapping; networking manages TLS and device authentication; and DevOps integrates certificates into automated workflows. When these teams collaborate under a unified governance structure, they ensure that a PKI delivers consistent value across the organization rather than operating as a siloed security function.
A Representation of PKI Ownership Across an Example Organization
| Role | Core Focus | Key Tools | Action Trigger |
|---|---|---|---|
| Network Admin | Resolve 802.1X / RADIUS issues; maintain Wi-Fi & VPN auth | Cisco ISE, Aruba ClearPass, SecureW2 | Auth failure, connection issue |
| Helpdesk | Onboarding & support for cert errors; escalate device trust issues | SecureW2 Helpdesk, MDM dashboards | Ticket logged, error reported |
| MDM Admin | Manage device certificates & compliance via SCEP/ACME | Intune, Jamf, Kandji | New device enrolled |
| IAM Engineer | Enforce access policies, integrate cert-based auth | Okta, Azure AD, PingIdentity | Access or role change |
| Security Team | Monitor trust posture, handle revocations | SentinelOne, CrowdStrike, SecureW2 | Risk alert, anomaly detected |
| CIO / CISO | Oversee PKI policy, compliance, and audits | Dashboards, audit logs | Audit cycle, board update |
When no single owner is accountable, certificates slip through the cracks, leading to outages, authentication errors, and compliance failures. Establishing clear PKI ownership prevents these risks and strengthens organizational trust and operational resilience.
What Happens When No One Owns Your PKI?
Without centralized PKI governance, certificates are scattered across different systems, lacking a single point of tracking. Teams create and use certificates independently, often with no shared process or record. It is hard to know which certificates are active, when they expire, or what systems rely on them. Alerts go unnoticed because they’re spread across multiple tools, and no single view shows the full picture. Over time, admins lose visibility and discover problems during a network outage or security breach.
Shadow IT and Hidden PKI Risks
Shadow IT creates blind spots that weaken an organization’s security posture as teams deploy their own local certificate authorities (CAs) or issue self-signed certificates. They bypass security measures and governance controls to quickly enable internal apps, test environments, or network access. Attackers can exploit these unmonitored certificates as they lack proper key protection, expiry tracking, or revocation mechanisms, creating hidden trust anchors.
Over time, shadow PKI fragments the organization’s trust model, introduces unmanaged attack surfaces, and makes it nearly impossible for security teams to maintain full visibility or enforce compliance across the certificate ecosystem.
Shadow IT creates blind spots that weaken an organization’s security posture, especially when teams deploy their own local certificate authorities (CAs) or self-signed certificates outside approved governance. These shadow PKI assets bypass standard validation and monitoring, leaving no visibility into key protection, expiry, or revocation.
Unmonitored certificates, especially shadow-issued ones, pose a significant risk. These shadow certificates are particularly dangerous because they bypass central oversight while still establishing trust within the system. This creates hidden vulnerabilities that attackers can exploit as entry points into the environment.
Unmonitored Certificate Lifecycle Management
Without a designated PKI owner, certificates may silently lapse across multiple systems, such as authentication servers, VPN gateways, and web applications. An expired certificate fails the trust handshake between clients and servers. A RADIUS server will reject device authentications, and HTTPS sessions return invalid certificate errors.
Wi-Fi networks that rely on 802.1X lose their identity validation, forcing users into constant reconnect loops, while VPNs block access due to untrusted tunnels. These failures lead to widespread downtime, helpdesk overload, and frustrated users scrambling for temporary workarounds.
Threats Due to Misissued Certificates
If you issue certificates without policies in place, there is no clarity on who issues them, requests them, what domains or devices they cover, or how keys are protected. Attackers or careless insiders can issue unauthorized certificates that appear trusted to browsers, devices, or internal systems. These rogue certificates can spoof corporate websites, intercept encrypted traffic, or impersonate legitimate servers in a man-in-the-middle (MITM) attack.
Since the traffic remains encrypted, traditional security tools like firewalls often fail to detect the intrusion. Without proper role-based access, issuance approvals, and CA logging, the organization loses visibility into its network, making it easy for malicious actors to exploit weak certificate governance.
Compliance Risks of Fragmented PKI Ownership
A fragmented, non-centralized PKI scatters certificates everywhere, leading admins to miss certificate renewal dates and resulting in expired certificates that cause network outages. From a compliance standpoint, this lack of traceability makes it impossible to demonstrate compliance with frameworks such as ISO 27001A.10.1.2 (Key Management), SOC 2, or PCI DSS – 3.6 (Cryptographic key management), which require documented key management and audit trails.
When auditors discover untracked or misconfigured certificates, they incur penalties and remediation costs. These costs undermine the organization’s credibility with customers and partners regarding its security maturity and governance.
Real-World Incidents: The Cost of Unclear PKI Ownership
Even the world’s most advanced organizations have suffered major disruptions and breaches due to unclear or fragmented PKI ownership. The following cases depict how certificate mismanagement can ripple through operations, security, and trust for even the biggest names in the market.
1. Microsoft Teams & Skype Outage (February 2020)
On 3rd February 2020, Microsoft Teams suffered a global outage that left millions of users unable to access the service for several hours. Microsoft acknowledged the issue as an expired TLS/SSL authentication certificate and deployed a replacement certificate.
The root cause was a missed renewal of a critical authentication certificate. This caused authentication failures across the login infrastructure, rendering the Teams application inaccessible to users worldwide. The incident was a clear reminder that certificate renewal is not a routine task but a key component of uptime and service reliability.
2. Equifax Breach (2017)
In 2017, Equifax suffered a data breach after an expired TLS/SSL certificate disabled a network traffic inspection tool for 76 days. This allowed attackers to exfiltrate sensitive personal data from millions of users undetected. The lack of unified visibility of network systems, inventory, renewal policies, and unmonitored certificates led to missed alerts.
The business lesson: Even large enterprises can face catastrophic breaches, compliance penalties, and reputational damage with unmanaged certificates. Centralized lifecycle management and a single source of truth are essential to maintaining visibility, preventing lapses, and protecting digital trust.
3. Oculus Rift Outage (2018)
In 2018, all Oculus VR headsets suddenly stopped working when an essential runtime certificate expired. Users were unable to launch applications or access their devices. The issue persisted until Oculus released an emergency patch that replaced the expired certificate and restored functionality.
The root cause was a lack of visibility into how embedded certificates controlled runtime validation within the headset software. The incident highlighted that even internally managed or consumer device ecosystems rely on certificate integrity and renewal discipline. Without clear ownership and automated lifecycle management, a single overlooked certificate can disable entire fleets of connected devices.
4. DigiNotar Breach (2011)
Attackers compromised the Dutch certificate authority DigiNotar in 2011, which allowed them to issue over 500 fraudulent certificates to Google, Yahoo, and intelligence agencies. Because DigiNotar was a trusted root in major browsers, these fake certificates were accepted globally, enabling large-scale man-in-the-middle attacks and surveillance.
The DigiNotar breach exposed poor network segmentation, a lack of intrusion detection, and the absence of independent auditing of certificate issuance. The incident ultimately led to DigiNotar’s collapse and removal from all major trust stores. It reinforced that PKI ownership must include continuous CA auditing, strict issuance controls, and firm trust boundaries to prevent abuse within the chain of trust.
5. Symantec CA Distrust (2017–2018)
Between 2017 and 2018, major browsers revoked trust in Symantec’s root certificates, including Google Chrome and Mozilla Firefox. It was revealed that Symantec and its affiliates had misissued over 30,000 certificates. This incident exposed serious gaps within Symantec’s CA, with inadequate oversight of registration authorities and inconsistent validation practices.
As a result, Symantec was forced to transition its CA business to DigiCert, marking one of the largest trust removals in internet history. The case underscored that PKI ownership isn’t just operational; it requires strong internal governance, compliance monitoring, and transparent auditing to preserve global trust.
Outages and breaches like Microsoft Teams, Equifax, and DigiNotar reveal a pattern of unclear PKI ownership leading to disruption and loss of trust. PKI governance requires full visibility into certificate inventories, automated renewal workflows, strong issuance controls, and continuous auditing of CAs and trust chains.
PKI Best Practices to Prevent Ownership Failures
Let’s look at the best PKI practices that ensure continuous trust and compliance.
Assign Clear PKI Ownership
Establish a dedicated team to manage PKI infrastructure and certificate lifecycle operations end-to-end. This includes maintaining the root and subordinate CAs, defining issuance policies, enforcing key protection standards (such as HSM-based key storage), and integrating certificate workflows with identity and access systems.
In enterprise PKIs, the Root CA typically remains offline for security, used only to sign and trust subordinate (operational) CAs that handle day-to-day certificate issuance. Alongside the CAs, a Registration Authority (RA) plays a critical role in validating certificate requests, approving issuance, and enforcing identity verification policies to prevent unauthorized use. Each function should have defined technical owners, with auditable logs and least-privilege access controls, to maintain visibility, accountability, and resilience and prevent outages or misconfigurations caused by unmanaged or overlapping responsibilities.
Maintain a Certificate Inventory
Build a centralized, continuously updated inventory of all certificates across on-prem, cloud, and third-party systems. Use automated discovery and alerting tools to detect shadow or expired certificates before they impact operations. NIST SP 1800-16 emphasizes that maintaining a complete, real-time certificate inventory is the foundation for visibility, renewal management, and incident response readiness.
Automate Issuance, Renewal & Revocation
Integrate automated issuance, renewal, and revocation workflows into ITSM, MDM, and DevOps pipelines to eliminate manual errors and downtime. You can automate certificate issuance using protocols such as SCEP, ACME, or JSON to securely provision certificates across endpoints, servers, and containers. Using CRLs and OCSPs ensures certificates are replaced upon expiration and immediately revoked when devices or users fall out of compliance. While a CRL or OCSP doesn’t issue alerts, they provide revocation status checks. Integrating them with monitoring systems detects expirations, while CRL and OCSP provide revocation status checks rather than issuing alerts.
Conduct Regular Audits
Perform periodic PKI audits to validate certificate policies, CA hierarchies, and renewal processes. Frameworks such as NIST SP 1800-16 recommend auditing PKI environments at least annually to identify gaps in issuance controls, rogue certificates, and noncompliant configurations. Regular audits strengthen governance and reinforce accountability across teams.
Integrate PKI into Risk Management
Treat PKI as a core component of enterprise risk management rather than a standalone IT task. Incorporate certificate governance into vulnerability management, business continuity planning, and compliance assessments. During risk assessments, inventory certificates are used alongside other digital assets to identify expired, weak, or orphaned credentials that could be exploited for impersonation or data interception. Embedding PKI governance into the organization’s overall risk posture ensures that digital trust is continuously validated and maintained across all systems and services.
Turn Your PKI from a Liability into a Strength
PKI failures are rarely the result of flawed technology. They stem from unclear accountability, fragmented ownership, and a lack of governance discipline. When no one is responsible for monitoring expirations, enforcing policy, or auditing trust relationships, even the most advanced systems can fail catastrophically. By establishing clear ownership, automating certificate workflows, and maintaining continuous visibility, organizations can prevent the next Microsoft- or Equifax-level outage before it happens.
