PKI Certificate Lifecycle Management (CLM) Services — Discovery, Automation, Renewal & Compliance

We provide end‑to‑end certificate lifecycle management across heterogeneous estates (IT, OT/IIoT, cloud, on‑prem). This includes discovery, inventory, issuance, renewal, rotation, revocation, escrow/archival, and decommissioning—automated wherever possible and governed by customer policy.

Our approach is vendor‑neutral. We integrate your existing CAs, CLM platforms, HSMs, and cloud providers, and we recommend the right control plane for your risk, compliance, and operational profile. We also prioritise customer‑managed keys (BYOK) and Managed HSM options where feasible.

Certificate Discovery, Inventory & Automation (PKI, TLS/SSL, mTLS)

Discovery & Inventory: Agentless and agent‑based scans across data centres, cloud (IaaS/PaaS), Kubernetes/containers, OT networks, load balancers, web servers, proxies, MDM/EMM, WAFs, message brokers, databases, application servers, and endpoints.
Issuance & Enrolment: ACME, EST, SCEP, CMP/CMC, API‑based, RA/secondary CA models, and custom workflows.
Automated Renewals: Policy‑driven pre‑expiry windows, canary checks, blue/green rollovers, staged deployments, and maintenance windows.
Revocation: One‑click or policy‑triggered CRL/OCSP updates, incident response hooks.
Key Management: HSM integration (on‑prem & cloud), key escrow where policy allows, CSR generation standards, algorithm profiles (RSA, ECDSA, and PQC roadmaps).
Governance: Certificate Policy (CP), CPS alignment, naming standards, tagging/metadata, audit trails, SLA/SLOs.
Service Integration: ITSM/CMDB (e.g., ServiceNow), SIEM/SOAR, secrets managers, CI/CD, GitOps, device management (MDM/EMM/MTD), and cloud native services.

PKI & CLM Vendors We Support (Keyfactor, Venafi, EJBCA, DigiCert, Entrust, GlobalSign, Sectigo, Microsoft AD CS, AWS ACM, Azure Key Vault, HashiCorp Vault)

We maintain concise reference shortcodes so procurement, architecture, and operations can unambiguously map a request to the correct CA/CLM/HSM or cloud service. Below is our standard catalogue. (We can tailor to your environment.)

Category	Vendor	Product / Platform	Typical Role	Key Integrations	Our Reference
CLM	Keyfactor	Command (incl. EJBCA connectors)	Enterprise CLM & discovery; device & server cert automation	AD/LDAP/Entra ID, F5/Nginx/HAProxy, IIS/Apache, Kubernetes, Azure/AWS/GCP	KF‑CLM
CLM	Venafi	Control Plane / TLS Protect	Enterprise CLM; policy control for multi‑CA environments	Broad connector ecosystem, F5/A10, cloud KMS, ServiceNow	VEN‑TLSP
CA/PKI	Keyfactor	EJBCA Enterprise (on‑prem/Cloud)	Enterprise CA, subordinate/issuing CAs, ACME/EST	Managed HSM (Azure/AWS), RA workflows, device enrolment	KF‑EJBCA
CA/PKI	DigiCert	CertCentral / Managed PKI	Public‑trust & private PKI issuance; automation via ACME/API	Web servers, MDM, IoT device issuance	DIGI‑CC
CA/PKI	Entrust	Entrust Certificate Services / PKIaaS	Public/private PKI, enterprise issuance & automation	CLM integrations, HSM options, enterprise SSO	ENT‑ECS
CA/PKI	GlobalSign	Atlas / Managed PKI	Public/private PKI, device identity at scale	IoT device identity, ACME, APIs	GS‑ATLAS
CA/PKI	Sectigo	CCM / Private PKI	Public/private PKI; discovery and automation toolset	ACME, APIs, DevOps integrations	SECT‑CCM
Cloud CA / Manager	AWS	AWS Certificate Manager (ACM)	TLS for AWS workloads, private CA (ACM PCA)	ELB/ALB, CloudFront, API GW, EKS	AWS‑ACM / AWS‑PCA
Cloud KMS/HSM	Microsoft Azure	Key Vault / Managed HSM	Key custody, CSR signing, CA key protection, secrets	AKV, Managed HSM, App Services, AKS	AZ‑AKV / AZ‑MHSM
Secrets	HashiCorp	Vault (PKI engine)	Internal CA / short‑lived certs for microservices	Kubernetes, CI/CD, dynamic secrets	HV‑VAULT‑PKI
Microsoft PKI	Microsoft	AD CS (on‑prem)	Legacy/enterprise CA, NDES/SCEP for devices	Intune, GPO auto‑enrolment	MS‑ADCS

We also maintain mappings to other ecosystems on request (e.g., Google CAS, Let’s Encrypt for ACME automation in specific scenarios, and OT vendor PKI integrations).

How to Choose a Certificate Lifecycle Management Approach (Use Cases & Patterns)

Enterprise, multi‑CA, strict governance → Venafi (VEN‑TLSP) or Keyfactor Command (KF‑CLM) as control plane; underlying CAs may be EJBCA (KF‑EJBCA), AD CS (MS‑ADCS), or cloud (AWS‑PCA, private DIGI‑CC, ENT‑ECS, GS‑ATLAS, SECT‑CCM).
Modern greenfield with BYOK/HSM → KF‑CLM + KF‑EJBCA on AZ‑MHSM (or on‑prem HSM), ACME/EST for automation.
Cloud‑first workloads → Native AWS‑ACM for AWS TLS edge; complement with KF‑CLM or VEN‑TLSP for cross‑cloud inventory/policy.
Service Mesh / Kubernetes → HV‑VAULT‑PKI for short‑lived certs, backed by enterprise CA; CLM platform orchestrates issuance and rotation.
Legacy AD auto‑enrolment → MS‑ADCS with GPO/auto‑enrolment; CLM overlays discovery, renewal windows, governance, and migration path.

Standardised Certificate Request Naming (Policy, CA, Environment)

To avoid ambiguity, every certificate workflow references the platform shortcode, CA alias, and policy:

Example: KF‑CLM/KF‑EJBCA/ServerTLS‑Strict/PROD/DMZ/payments‑api

Platform: One of the shortcodes above (e.g., KF‑CLM, VEN‑TLSP, AWS‑ACM).
CA‑Alias: The issuing CA (e.g., KF‑EJBCA‑ISS01, MS‑ADCS‑SUB02, AWS‑PCA‑EU1).
Policy‑Name: Encodes key type/size, validity, EKUs, SAN rules, renewal threshold, revocation behaviour, audit level.
Environment/Zone/App‑ID: Organisational routing for approvals, change windows, and CMDB linkage.

Automation Protocols for Certificate Management (ACME, EST, SCEP, CMP/CMC) & DevOps Integrations

Protocols: ACME (incl. external account binding), EST, SCEP/NDES, CMP/CMC.
Agents/Connectors: F5/iControl, Nginx/IIS/Apache modules, load balancer & WAF plugins, Kubernetes cert-manager, Vault issuers, Venafi/Keyfactor connectors.
APIs & CI/CD: GitOps‑friendly pipelines, Terraform modules, Ansible collections, ServiceNow catalogues for request/approve/fulfil.

PKI Governance, Compliance & Key Management (BYOK, Managed HSM, NIS2, PCI DSS, ISO 27001)

Policy Packs aligned to your CP/CPS and regulatory needs (e.g., eIDAS/PSD2, PCI DSS, NIS2, ISO 27001, SOC 2).
Key protection with HSM backed roots and issuing CAs; customer‑managed keys as default.
Auditability: Full activity trails, evidence packs for change/advisory boards, and revocation incident playbooks.

PKI Services for UK & EU Organisations (On-Prem, Cloud & OT/IIoT)

London & UK-wide PKI services for regulated industries
EU-ready designs aligned to NIS2, eIDAS/PSD2, GDPR data residency

Benefits: Fewer Outages, Higher Uptime, PQC Readiness

Reduced outage risk via proactive discovery and automated renewals
Faster time‑to‑issue with standardised policies and self‑service
Clear ownership using shortcodes and CMDB mapping
Future‑proofing for PQC migration plans and mixed‑algorithm estates

FAQ: PKI & Certificate Management — Common Questions

What is Certificate Lifecycle Management (CLM)?

CLM covers discovery, issuance, renewal, rotation, and revocation of digital certificates across servers, devices, users, and applications.

How do I find expiring TLS/SSL certificates quickly?

We run automated discovery and inventory, with alerts and renewal windows to stop outages.

Do you support automated renewals and zero‑downtime rollovers?

Yes—policy‑driven renewals, canary checks, and blue/green deployments.

Can you manage Microsoft Active Directory Certificate Services (AD CS)?

Yes—migration, integration with Intune/NDES (SCEP), and modern CLM overlays.

Which vendors and platforms do you support?

Keyfactor (Command & EJBCA), Venafi, DigiCert, Entrust, GlobalSign, Sectigo, Microsoft AD CS, AWS ACM & PCA, Azure Key Vault/Managed HSM, HashiCorp Vault.

Do you support Kubernetes, service mesh, and DevOps pipelines?

Yes—cert‑manager, Vault PKI, GitOps/Terraform/Ansible, and CI/CD automation.

Can you issue certificates for IoT/OT and mTLS device identity?

Yes—scalable device enrolment (ACME/EST/SCEP), suitable for IIoT/OT estates.

Do you work with UK/EU compliance requirements?

Yes—NIS2, PCI DSS, ISO 27001, eIDAS/PSD2, and industry‑specific controls.