Product
Blackfort Certificate Intelligence
Certificate governance pilot for Microsoft ADCS, Azure Key Vault & App Service and structured register intake for ICT third-party and OT/IoT certificates. Blackfort is currently developing a lightweight approach for inventorying, risk analysis and governance – as a basis for DORA, NIS2 and audit-readiness.
Positioning
Not another CA – transparency over your existing certificate inventories.
Blackfort Certificate Intelligence does not replace a Microsoft CA, a public CA or a monitoring pipeline – it makes inventory, risks and governance of internal ADCS, Azure and manually captured third-party / OT certificates visible across sources.
Microsoft ADCS
Issues internal certificates. Does not provide a consolidated risk, expiry or governance view across what it has issued.
Azure / DigiCert
Cloud and public CA platforms provide certificates. A cross-source governance view that also covers internal ADCS inventories is not in scope.
PRTG / Monitoring
Monitors individual endpoints and TLS expiry. Does not see what the internal sources have issued overall, or how it should be classified in governance terms.
Blackfort Certificate Intelligence
Makes inventory, risks, templates, ownership and expiry of ADCS, Azure and structured third-party / OT certificates visible – as a basis for governance, DORA, NIS2 and audit.
Technical approach
Architecture & data flow
The data flow is intentionally lean and strictly read-only for existing source systems. Azure sources are queried via Azure APIs against your tenants. Third-party and OT/IoT certificates enter the same register via structured manual intake.
Sources & intake
In pilot scopeMicrosoft ADCS
Read-only export
Azure Key Vault
API discovery
Azure App Service
API discovery
ICT third-party
Structured import
OT / IoT
Manual intake process
- 01
Export & Normalization
Read-only export from technical sources; normalisation of metadata, templates and owners; consolidation alongside manually captured third-party and OT/IoT entries.
- 02
Certificate Inventory
Consolidated inventory across all sources – with status, owners, intended use and source-system tagging.
- 03
Risk & Expiry Analysis
Findings on algorithms, key lengths, wildcards and templates. Configurable expiry alerts per service class.
- 04
Governance Register
Aggregated view for compliance, risk and infrastructure stakeholders – a basis for DORA, NIS2 and ISO 27001 reviews.
- 05
Excel / Findings / Audit / Jira (planned)
Audit-ready Excel / register export today. Jira-based renewal workflows are a planned integration.
In pilot scope
What Blackfort Certificate Intelligence delivers in the pilot
The following capabilities are part of the current pilot. They are intentionally not the full feature set of a complete CLM – they aim at a robust, audit-ready view of internal and cloud-based certificate inventories, complemented by structured intake for third-party and OT/IoT inventories.
Pilot / MVP
Microsoft ADCS export
Read-only export of issued certificates from existing Microsoft Certificate Authorities.
Azure Key Vault discovery
API-based discovery of certificates across Key Vaults and subscriptions.
Azure App Service discovery
API-based discovery of certificates on Azure App Services including custom domains.
Local certificate inventory
Consolidated inventory across all sources, with metadata, templates, ownership and source-system tagging.
Excel / register export
Audit-ready export for DORA certificate registers, NIS2 and ISO 27001 reviews.
Configurable expiry alerts
Per-service-class escalation windows for upcoming certificate expiry.
Initial risk / governance findings
Structured export of technical findings on algorithms, wildcards, templates and missing ownership.
Structured third-party import
Standardised manual import of certificate data from external ICT third parties into the register.
OT/IoT manual intake process
Documented manual intake process for OT/IoT certificates with direct register integration. No automated OT discovery.
Integrations & roadmap
Pilot, planned, future
The roadmap separates pilot scope, integrations under active development and mid-term planned extensions. Binding statements on availability are made exclusively within the scope of specific pilot or project conversations.
Microsoft ADCS
PilotRead-only export of issued certificates, templates and metadata.
Azure Key Vault
PilotAPI-based discovery across subscriptions.
Azure App Service
PilotAPI-based discovery including custom domain bindings.
ICT third-party (import)
PilotStructured manual import of third-party certificate data into the register.
OT/IoT manual intake process
PilotDocumented manual intake process with register integration. No automated OT discovery.
Configurable expiry alerts
PilotPer-service-class escalation windows.
DigiCert
PlannedConsolidation of public certificates alongside ADCS inventories.
Jira API / renewal workflows
PlannedRenewal and governance tickets from findings into existing ITSM processes.
PRTG reconciliation
PlannedHand expiry findings to established monitoring pipelines.
AWS Certificate Manager
PlannedDiscovery of public certificates in AWS accounts.
GCP Certificate Manager
PlannedDiscovery of public certificates in Google Cloud projects.
Microsoft Defender correlation
FutureCorrelation with endpoint and identity telemetry.
Wazuh / SIEM export
FutureIntegration into existing SIEM and detection stacks.
Kubernetes / cert-manager
FutureVisibility of workload certificates in cluster environments.
Network discovery scanner
FutureActive discovery of certificates outside the known sources.
ACME governance
FutureGovernance for ACME-based certificate issuance.
Automated renewal processes
FutureAutomated renewal across all supported source systems.
Possible findings
Illustrative governance and risk findings
The view below is illustrative and shows typical finding types from real ADCS, Azure and third-party / OT inventories – not the live state of a specific customer.
Illustration
Certificate Intelligence – pilot view (demo)
Per-source breakdown
Certificate expires in 14 days
highCN=portal.intern.example • Template: WebServer-2016
Critical certificate of an internal portal with no documented renewal accountability.
Azure Key Vault: expiry in 21 days
highkv-prod-eu / payment-api-cert
Cloud certificate of a payment-relevant API. No renewal owner is set in the Vault tags.
Wildcard certificate detected
highCN=*.intern.example • Multi-Service
Wildcard with wide-reaching implicit usage across multiple services.
App Service certificate without service mapping
mediumas-prod-mobile-api.azurewebsites.net
App Service certificate is not mapped to a business service responsibility.
Weak RSA key
mediumRSA 1024 • SHA-1
Issued certificate with outdated key length and weak signature algorithm.
Unknown template
mediumTemplate: legacy-internal-v3
Template is in productive use but not documented in the internal template review.
Third-party certificate without owner
mediumProvider: payments-saas-vendor • manually captured
Third-party certificate was manually captured into the register, but no internal escalation contact is recorded.
OT certificate without renewal contact
mediumSite: South plant • PLC cluster • manually captured
OT certificate is in the register but no technical renewal accountability has been assigned.
Missing ownership (aggregate)
low34 certificates without owner
A material number of issued certificates have no assigned accountability.
Missing governance documentation
lowTemplate and enrolment permissions
Template rights and enrolment configuration are not currently documented.
Microsoft ADCS
Make Microsoft ADCS governance visible
Many organisations operate their Microsoft Certificate Authority for years without structured governance. Internal certificate landscapes grow organically and no one fully owns the picture of inventory, risks or expiry windows. With Azure Key Vault and Azure App Service, additional inventories emerge that are often not consolidated with the internal register.
Regulator and audit questions then hit a reality that can only be reconstructed with significant effort. The goal is not alarmism but a calm, audit-ready view of the actual inventory.
What is often missing for years
- Governance over issued certificates
- Ownership and accountability
- Lifecycle transparency and expiry overview
- Template review and enrolment rights
- Audit-readiness on request
Assessment
Certificate Governance Pilot Assessment
The assessment delivers a first robust view of your relevant certificate inventories from Microsoft ADCS, Azure Key Vault, Azure App Service and structured intake for third-party and OT/IoT certificates. The approach is strictly read-only for existing source systems – no templates are changed, no certificates are issued or revoked.
The output is a consolidated register, a technical risk and expiry analysis and a governance classification with management summary – usable for internal reviews, DORA / NIS2 preparation and ISO 27001 audits.
Assessment deliverables
- Microsoft ADCS export of issued certificates
- Azure Key Vault & Azure App Service discovery
- Structured intake of relevant third-party certificates
- Manual intake process for OT/IoT certificates (pilot scope)
- Consolidated register and expiry analysis
- Risk and governance findings
- Configuration of first expiry alerts
- Management summary and audit export (Excel)
Why Blackfort
Experience in regulated PKI environments
Certificates are technically unspectacular – and at the same time a load-bearing part of regulated IT architectures. We have worked for many years exactly at this intersection of cryptography, regulatory expectation and operational reality.
PKI experience
Long-standing project experience with internal and outsourced PKI in regulated environments.
Regulated environments
Work with financial entities, critical infrastructure, public administration and healthcare.
Official DigiCert partner
Established partnership with DigiCert for public certificates and trust services.
Public administration PKI & gematik
Experience with public-sector PKI and gematik-relevant architectures in the German healthcare ecosystem.
Thales nShield Certified
Certified security expert for Thales nShield HSM – robust key custody.
DORA, NIS2, ISO 27001
Advisory aligned with recognised regulatory and standardisation frameworks.
German on-prem perspective
Local evaluation in your environment – also when reaching out to Azure sources via your tenants.
Frequently asked questions
Is Blackfort Certificate Intelligence already a full CLM system?
No. Blackfort Certificate Intelligence is not a full Certificate Lifecycle Management product. The current pilot covers Microsoft ADCS export, Azure Key Vault and Azure App Service discovery, structured intake for ICT third-party certificates, a manual intake process for OT/IoT certificates, configurable expiry alerts and an audit-ready Excel / register export. Automated renewals, agentless network discovery and full enterprise CLM platforms are not part of the current state.
Which cloud certificates does the pilot cover today?
The pilot scope includes Azure Key Vault and Azure App Service certificates. Both are evaluated via the respective Azure APIs against your tenants and subscriptions. AWS Certificate Manager and GCP Certificate Manager are planned integrations but are not in the current pilot.
How are ICT third-party providers covered?
For ICT third parties, the pilot supports a structured manual import into the certificate register. Third-party certificate data can be consolidated with internal inventories – including expiry analysis, ownership and governance findings. Automated discovery at third-party providers is not part of the MVP.
How are OT / IoT certificates covered?
For OT and IoT environments, the pilot starts with a documented manual intake process with register integration. This brings in certificates from areas that are regulatorily relevant but technically often not directly scannable. Automated OT/IoT discovery is not part of the pilot.
Are configurable expiry alerts available?
Yes. Escalation windows can be configured per service class – for example 90 days for critical external services, 30 days for internal standard services. This makes expiry risk visible in a differentiated way.
Will Jira tickets be created automatically?
Not in the current state. Jira-based renewal workflows are a planned integration. Findings and expiry alerts are exported today in a structured format (Excel / CSV) and can be moved into existing ITSM processes manually.
Does it already support DigiCert?
A DigiCert integration is on the roadmap but not part of the current pilot. Blackfort is an official DigiCert partner; the plan is to evaluate DigiCert certificates alongside ADCS and Azure inventories in the register.
Is a cloud platform required to use it?
No. The evaluation runs in your environment. For Azure data sources, only Azure APIs are queried against your own tenants and subscriptions – no additional third-party platform persists your certificate data.
Will the Microsoft CA be modified?
No. The approach for the Microsoft CA remains strictly read-only. Data is exported and analysed; no templates are changed, no certificates are issued or revoked and no productive settings are modified.
Is PRTG not sufficient?
PRTG can monitor individual endpoints and their TLS certificates very effectively. What PRTG does not provide is a cross-source governance view of all certificates issued by ADCS and Azure, including templates, algorithms and wildcard usage. PRTG reconciliation is a planned integration.
Does it support Linux or Kubernetes?
The initial focus is on Microsoft ADCS, Azure Key Vault and Azure App Service, plus structured intake for third-party and OT/IoT certificates. Linux and Kubernetes scenarios (cert-manager, ACME, workload certificates) are on the longer-term roadmap but are not part of the current pilot.
Is it required for DORA or NIS2 compliance?
No. What is mandatory are DORA, NIS2 and comparable regulations themselves – not any particular product. Blackfort Certificate Intelligence is a tool to operationalise the governance and inventory expectations of DORA Art. 7(4) RTS, NIS2 and ISO 27001 for certificates.
Kontakt aufnehmen
Running ADCS, Azure certificates or capturing third-party certificates – and want to see what's actually in circulation?
Blackfort is looking for organisations for early pilot and assessment projects around cross-source certificate governance. Let us schedule a first pilot conversation.