National public sector — crypto audit & PKI Remediation

National public sector — crypto audit & PKI CLM Update

Sector: Government & public sector
Role: Principal PKI/Crypto Architect
Duration: Multi-month programme
Scope: Assessment → design → remediation → governance hand-over

Summary

A national public sector body engaged Steve Monti of SafeCipher to audit its cryptography and strengthen Active Directory Certificate Services (AD CS). We aligned policy with current risk and regulatory expectations, eliminated availability risks across the PKI stack, and introduced modern lifecycle controls for certificates and keys.

Objectives

  • Align CP/CPS and operating procedures with policy and assurance needs
  • Reduce outage and expiry risk; improve PKI availability and observability
  • Establish a clear authority for cryptographic policy and ownership
  • Harden AD CS and the supporting publishing/validation components
  • Standardise certificate lifecycle management across hybrid/on-prem/cloud

What we delivered

1) CPS/CP gap assessment & ceremony improvements

  • Benchmarked CP/CPS against current crypto baselines (algorithms, key sizes, validity, EKUs) and operational controls
  • Mapped gaps to remedial actions; updated ceremony SOPs, RACI, and evidence packs
  • Introduced role separation and dual-control (M-of-N) for sensitive key operations

2) Policy & governance review for the crypto estate

  • Rationalised policy hierarchy (Org Crypto Policy → CP → CPS → SOPs/runbooks)
  • Defined ownership, change control, and exception handling with time-bounded waivers
  • Established minimum crypto baselines for protocols, ciphers, and libraries across platforms

3) Creation of a new Policy Authority for cryptographic & PKI artefacts

  • Formed a cross-functional authority with clear mandate (approve profiles, CAs, HSM policies, exceptions)
  • Implemented a lightweight governance calendar and reporting (assurance dashboards, KPIs)

4) Shared service for HSMs

  • Designed a centrally governed HSM shared service with tenancy boundaries and RBAC
  • Standardised key lifecycle (generation/import, rotation, archival, destruction) and backup/restore
  • Produced platform patterns for on-prem HSM and cloud-managed HSM (BYOK/Host-Key)

5) Audit of the HSM estate

  • Inventory and configuration review (firmware/FIPS modes, partitions, key custody, backup hygiene)
  • Remediation plan for firmware uplift, access segmentation, and audit logging to SIEM

6) Introduction of Venafi for certificate lifecycle management

  • Deployed Venafi TPP as the CLM control plane for discovery, enrolment, renewal, and policy enforcement
  • Integrated with AD CS and selected public CAs; onboarded priority endpoint classes
  • Established approval workflows, policy folders, and delegated administration

7) AD CS hardening & availability

  • Consolidated templates and EKUs; enforced SHA-256+/RSA-2048/3072 (or org standard), SAN usage, and name constraints where applicable
  • Moved issuing CA keys to HSM custody; refreshed CRL/OCSP design with HA and shorter CRL overlap
  • Cleaned AIA/CDP publishing paths; added CDN/edge caching for revocation/OCSP resilience
  • Implemented monitoring for expiry, queue health, revocation and responder status

8) Hybrid estate cryptographic review

  • Assessed crypto across Windows/Linux, appliances, proxies, load balancers, containers, and cloud services
  • Recommended protocol/cipher baselines (TLS1.2+/modern suites), key/CSR standards, and secure deployment patterns

Outcomes

  • Policy alignment: Updated CP/CPS approved; exceptions process operational with audit trail
  • Availability: HA revocation & publishing; reduced single points of failure; faster CRL/OCSP delivery
  • Risk reduction: Expiry incidents avoided; automated renewals on priority endpoints via CLM
  • Governance: Policy Authority instituted; measurable KPIs for issuance, renewals, and exceptions
  • Assurance: Ceremony evidence packs and logging integrated with SIEM; improved audit readiness

Technology & methods

  • AD CS, HSM (on-prem and managed), Venafi TPP (discovery/CLM), Windows/Linux endpoints
  • RBAC with directory integration, dual-control key ceremonies, change management and runbooks

Related services: PKI design & architecture · Managed HSM & BYOK · Cryptographic audits
Get help: Contact usEmail: crypto@safecipher.co.uk