Tier-1 UK Bank

Selected Client Engagement —Tier-1 UK Bank (sanitised)

Sector: Finance
Role: Principal PKI/CLM Architect
Duration: Multi-month programme
Scope: Discovery → design → implementation → hand-over

Summary

Principal PKI/CLM Architect for a Tier-1 UK bank. We led a large-scale certificate discovery, implemented Venafi Trust Protection Platform (TPP) for lifecycle automation, and refreshed Certificate Policy (CP) and Certificate Practice Statement (CPS) to align with current risk, regulatory, and operational needs.

Context

  • Legacy AD CS estates with multiple issuing CAs; fragmented certificate ownership and renewals.
  • Limited visibility of non-Windows certificates (Linux, appliances, load balancers, containers, cloud).
  • Increasing regulatory scrutiny and the need for audit-ready governance (CP/CPS).
  • Objective to reduce outage risk from expiries and standardise renewal workflows.

What was delivered

1) Bank-wide certificate discovery & inventory

  • Designed and executed discovery across data centres, cloud accounts, container platforms, and key network zones.
  • Normalised results into a single system of record (owner, environment, EKU/profile, expiry, renewal path).
  • Identified high-risk certificates (short validity, weak crypto, orphaned, unmanaged endpoints).

2) Venafi TPP design & implementation (CLM)

  • Built a target operating model for certificate lifecycle management using Venafi TPP.
  • Integrated TPP with AD CS and selected public CAs; onboarded key device types and platforms.
  • Established policy folders, approval workflows, and RBAC aligned to risk tiers and environments.
  • Implemented automation for discovery, enrolment, and renewal (agents, APIs, and platform-specific integrations).
  • Integrated change notifications and metrics into SIEM/observability for proactive alerting.

3) Renewal automation & zero-surprise expiries

  • Standardised renewal windows and notification cadences; eliminated ad-hoc manual renewals.
  • Automated certificate deployment to common endpoints (web tiers, proxies, load balancers, app servers).
  • Playbooks for blue/green or in-place rollover with validation and back-out options.

4) Governance: CP/CPS refresh & evidence pack

  • Updated CP to reflect crypto baselines (algorithms, key sizes, validity, EKUs) and ownership/accountability.