Cryptographic Audits for Enterprises — Discovery, Compliance, Crypto-Agility & PQC

Inventory every certificate, key, algorithm and dependency. Map risks to compliance, fix expiry outages, and build a credible roadmap to ≥128-bit strength and post-quantum cryptography.

Book a 30-minute discovery call Email crypto@safecipher.co.uk Call +44 (0) 7498 045 184

Serving clients in the United States, Western Australia and Europe.

Why run a cryptographic audit now?

Expiry-outage risk: unknown certs/devices cause incidents; discovery and CLM stop firefights.
Compliance pressure: map crypto controls to GDPR / UK GDPR, PCI DSS 4.x, DORA, NIS2, and sector policy.
PQC readiness: align with NIST’s direction toward ≥128-bit strength (SP 800-131A r3 draft) and PQC selections.

Scope & discovery

Certificate discovery: data centres, cloud, containers, appliances, proxies, CDNs, load balancers — results normalised into a single inventory (owner, EKU/profile, expiry, renewal path).
Key & crypto inventory: algorithms, sizes, validity, revocation paths, OCSP/CRL health, trust stores.
Software/code footprint: optional cryptography bill of materials (CBOM) using static analysis (e.g., CodeQL) to find legacy crypto and hidden dependencies.
We start fast using your existing telemetry where possible; see our Cryptographic Audit overview.

PKI & certificate lifecycle (CLM) assessment

Hierarchy health: offline root, issuing CAs, AIA/CDP/OCSP, HA revocation & caching. See PKI design patterns.
Profiles & naming: EKUs, validity windows, crypto baselines, template taxonomy.
CLM maturity: discovery → policy → issuance → renewal; ACME/EST, agents/APIs; Venafi / EJBCA / Keyfactor. See Selected engagements.

KMS/HSM & key management

Custody model & ceremonies: M-of-N, segregation of duties, backup/restore evidence — our HSM Services.
Cloud patterns: Cloud HSM, managed HSM, BYOK/KEK, envelope encryption; platform choices at HSM Vendors.
Module assurance when required: FIPS 140-3 validated modules.

Applications, protocols & code

Protocol posture: TLS (per NIST SP 800-52r2), SSH, IPsec/VPN, S/MIME; ciphers, curves, renegotiation and fallback controls.
App libraries & APIs: OpenSSL, CNG, PKCS#11, JCE — crypto versions and deprecations.
Software supply chain: CBOM + variant analysis (optional) to surface legacy RSA/ECC usage and non-obvious dependencies.

IoT/OT & firmware

Device identity at scale: constrained profiles, automated enrollment (EST/ACME), offline-tolerant revocation.
Secure boot & firmware signing (e.g., LMS, PQC pilots), long-term validation.
Alignment to industrial guidance such as ISA/IEC 62443.

Compliance mapping (we don’t provide legal advice)

We align technical controls and evidence so your legal/compliance teams can demonstrate conformity.

GDPR / UK GDPR: encryption, integrity & accountability evidence — GDPR • UK ICO
PCI DSS 4.x: strong cryptography for PAN data; key management — PCI SSC
DORA / NIS2: resilience, incident readiness, evidence packs — DORA • NIS2
Trust services: eIDAS/ETSI considerations — eIDAS • ETSI QSC

What you receive

CBOM & certificate inventory: single system of record with owners, locations, profiles, expiries and renewal paths.
Risk register & quick wins: prioritized fixes (expiry hotspots, weak crypto, broken revocation).
Policy/evidence pack: CP/CPS gap notes, ceremony SOPs, monitoring SLOs (OCSP freshness, CRL age, expiry MTTR).

Roadmap to ≥128-bit and PQC (practical steps)

Stabilise: fix discovery gaps; standardise renewal windows; enable notifications and dashboards.
Raise baselines: move toward ≥128-bit parameters; treat RSA-2048 as verification-only post-2030 (per SP 800-131A r3 draft).
Pilot PQC: hybrid certs where feasible, PKI profile updates, app/library compatibility trials — see Quantum PKI Transition.

Discuss a cryptographic audit See selected engagements About SafeCipher

Cryptographic audits — FAQ

How quickly can we spot expiry risks?

Most environments see actionable findings from initial discovery within days; we prioritise hotspots and fix renewal practices first.

Do you support AD CS and CLM platforms?

Yes — we assess AD CS, Venafi, EJBCA and Keyfactor, with patterns to automate issuance/renewal and reduce outages.

Can you provide CBOM for our applications?

Yes — optional static analysis (e.g., CodeQL) to build a cryptography bill of materials and locate legacy or risky usage.

Do you align to compliance frameworks?

We map technical controls to GDPR/UK GDPR, PCI DSS 4.x, DORA/NIS2 and trust-service guidance. Your legal team retains sign-off.