DORA Compliance
DORA Certificate Register
Complete certificate inventory in line with DORA requirements – from discovery through build-out to ongoing lifecycle management. Powered by Blackfort Certificate Intelligence.
What Is the DORA Certificate Register?
The Digital Operational Resilience Act (DORA) requires financial entities to maintain a complete, up-to-date inventory of all cryptographic assets and digital certificates. Article 7(4) of the RTS on ICT Risk Management (EU 2024/1774) states: "Financial undertakings shall establish and maintain a register of all certificates and certificate stores for at least those ICT assets supporting critical or important functions."
The certificate register is therefore not an optional governance instrument but a regulatory obligation. During inspections by the BaFin, ECB or other competent authorities, the register is used as evidence of ICT risk control. Missing or outdated entries can be classified as material control weaknesses.
Blackfort Technology supports financial entities and their ICT third-party providers in building and operating a DORA-compliant certificate register – from the initial discovery phase through process integration to tool selection.
Technical Requirements Under the RTS
Article 7(4) of the RTS on ICT Risk Management (EU 2024/1774) sets out four core technical requirements. First, comprehensive recording of all PKI certificates including type, issuance and expiry dates, and purpose. Second, automated monitoring with proactive alerts for upcoming expirations or anomalies. Third, compliance with current security standards to prevent unauthorised access and manipulation. Fourth, complete audit logging of all changes and access to the register.
These requirements are technically achievable – but only sustainable if they do not depend on manual processes or spreadsheets. In organisations with more than 500 employees, an average of 40–60% of all active certificates are not recorded in a central register. In the event of a regulatory inspection by the BaFin or ECB, such an inventory would not be audit-ready.
Particular attention must be paid to short-lived certificates (90-day certificates via Let's Encrypt and similar), which require an automated lifecycle management process. DORA implicitly requires that certificate expiry must not lead to unplanned outages – a direct link to the DORA requirement for ICT operational stability.
Building a DORA-Compliant Certificate Register
A robust certificate register consists of three layers: Discovery (finding all certificates), Inventory (structured recording in a central system) and Lifecycle Management (automated monitoring, renewal and alerting). Without automation in the discovery layer, complete inventories are not maintainable in mid-sized and large organisations.
Suitable tool foundations include dedicated Certificate Lifecycle Management (CLM) solutions such as Venafi, Keyfactor or AppViewX, as well as SIEM integration and internal PKI solutions (Microsoft ADCS, EJBCA). Blackfort assesses your existing PKI infrastructure and recommends the approach with the best cost-benefit ratio for your specific DORA compliance situation.
On the process side, the certificate register must be integrated into change management: every new system deployment, every supplier change and every infrastructure modification must trigger a certificate review. We help you embed this integration into your existing ITSM processes (ServiceNow, Jira Service Management or similar).
DORA Certificate Register and ICT Third-Party Providers
DORA places specific requirements on the certificate situation with ICT third-party providers. When a cloud provider or managed service provider manages certificates on behalf of the financial entity, the financial entity must still be able to maintain a complete overview and respond immediately in the event of outages or security incidents.
The RTS on DORA third-party risk (Joint RTS under Articles 28 ff.) require that contractual arrangements with ICT third-party providers explicitly include audit, information and data transfer rights in the area of certificates and cryptographic assets. Blackfort reviews your existing contracts for these requirements and supports renegotiation where needed.
For DORA-critical ICT third-party providers (subcategory under Article 31 DORA), enhanced requirements apply. Their certificate management must be reflected in your own register, and your monitoring process must ensure that their certificate expiry is also continuously tracked.
DORA Certificate Checklist
- Complete certificate discovery (on-premises + cloud)
- Central inventory with full metadata
- Expiry monitoring & automatic alerting
- Lifecycle processes (renewal, revocation)
- Integration into change management
- Third-party provider coverage
- Audit-ready documentation for BaFin/ECB
Related Pages
Assess Your DORA Readiness
We analyse your current certificate posture and identify DORA compliance gaps.
Get in TouchPractice
Why certificate registers often fail in practice
The regulatory requirements are clearly worded. In practice, implementation rarely fails on intent – it fails on the grown reality around the internal Microsoft Certificate Authority. We see nine recurring patterns in mid-sized and large environments.
Microsoft CA running for years
Certificate services often run for years without structured review of templates, enrolment rights or issued certificates.
No complete overview
Issued certificates are rarely centrally inventoried. Expiry dates, owners and intended use are not consistently documented.
Missing ownership
Certificates are renewed for years without clear technical or organisational accountability.
Wildcard certificates
Wildcard and multi-SAN certificates obscure the actual breadth of use and hinder governance, risk review and incident response.
Weak cryptography
Grown CA hierarchies frequently contain outdated algorithms, short key lengths or remaining SHA-1 entries.
Unknown templates
Template permissions have grown over time. Which identities may issue which certificates is often no longer traceable.
No audit-readiness
A short-notice audit request for all active certificates can rarely be answered from a single, consistent source.
Expiry incidents
Expired certificates cause unannounced outages of critical services – directly relevant to DORA operational stability requirements.
No central governance
Certificate decisions are made decentrally. A consolidated view across compliance, risk and IT operations is missing.
Product
Blackfort Certificate Intelligence
Microsoft ADCS Governance & Certificate Visibility
Blackfort is currently developing a lightweight, on-premises approach for inventorying and governing Microsoft ADCS certificates. The goal is a robust, audit-ready view of existing certificate landscapes – without modifying the productive Certificate Authority.
The current approach is intentionally read-only: issued certificates are exported from the CA, consolidated, enriched with metadata and evaluated with initial risk and expiry findings. Blackfort Certificate Intelligence is not a full CLM and not a finished discovery platform – it is a focused tool for governance and visibility.
Microsoft ADCS export
Structured, read-only export of issued certificates from existing Microsoft Certificate Authorities.
Azure Key Vault discovery
API-based discovery of certificates across Key Vaults and subscriptions.
Azure App Service discovery
API-based discovery of certificates on Azure App Services including custom domains.
Consolidated inventory
Cross-source inventory with metadata, templates, ownership and source-system tagging.
Configurable expiry alerts
Per-service-class escalation windows for upcoming certificate expiry.
Excel / register export
Audit-ready register output for DORA, NIS2, ISO 27001 and internal reviews.
Initial risk / governance findings
Structured findings on algorithms, wildcards, templates and missing ownership.
Structured third-party import
Standardised manual import of certificate data from external ICT third parties into the register.
OT/IoT manual intake process
Documented manual intake process for OT/IoT certificates with register integration. No automated discovery.
Status note: Blackfort Certificate Intelligence is under active development. The current pilot scope covers Microsoft ADCS export, Azure Key Vault and Azure App Service discovery, structured third-party import, a manual OT/IoT intake process, configurable expiry alerts and Excel / register export. Automated renewal engines, network discovery scanners and full enterprise CLM features are not part of the current state.
Roadmap
Planned integrations and roadmap
Blackfort Certificate Intelligence evolves along a clearly prioritised roadmap. The overview below intentionally separates capabilities available today, integrations under active development and mid-term planned extensions.
- Microsoft ADCS export
- Azure Key Vault discovery
- Azure App Service discovery
- Structured third-party import
- OT/IoT manual intake process
- Configurable expiry alerts
- Excel / register export
- DigiCert integration
- Jira API / renewal workflows
- PRTG reconciliation
- AWS Certificate Manager
- GCP Certificate Manager
- Microsoft Defender correlation
- Wazuh / SIEM export
- Kubernetes / cert-manager
- Network discovery scanner
- ACME governance
- Automated renewal processes
Timelines, sequencing and scope of individual integrations may evolve during ongoing development. Binding statements on availability are made exclusively within the scope of specific pilot or project conversations.
Microsoft ADCS
Make Microsoft ADCS governance visible
Many organisations operate their Microsoft Certificate Authority for years without structured governance: no systematic template review, no clearly assigned ownership, no continuous risk and lifecycle view.
As a result, internal certificate landscapes grow without anyone owning the overall picture. Regulator and audit questions then hit a reality that can only be reconstructed with significant effort. A first, read-only look at the inventory brings this reality into a manageable shape.
Typical risk areas
- Weak algorithms and outdated key lengths
- Wildcards with wide-reaching implicit usage
- Missing accountability and ownership
- Uncontrolled enrolment rights
- Opaque, organically grown certificate landscapes
What governance means in concrete terms
A robust governance view on Microsoft ADCS is not about chasing every single CVE or ESC vulnerability individually. It starts with being able to answer three questions reliably:
- 1.Which certificates exist – and who owns them?
- 2.Which of these are suspicious from an algorithm, wildcard or template perspective?
- 3.Which ones expire when – and what depends on each of them?
Assessment
Microsoft ADCS Governance Assessment
The assessment delivers a first robust view of your existing Microsoft Certificate Authority within a clearly scoped approach. The approach is strictly read-only: no templates are changed, no certificates are issued or revoked, and no productive CA settings are modified.
The output is a consolidated register, a technical risk and expiry analysis and a governance classification with management summary – usable for internal reviews, DORA / NIS2 preparation and ISO 27001 audits.
Assessment deliverables
- Microsoft ADCS export of issued certificates
- Azure Key Vault & Azure App Service discovery
- Structured intake of relevant third-party certificates
- Manual intake process for OT/IoT certificates (pilot scope)
- Register build-up and expiry analysis
- Risk and governance findings (algorithms, wildcards, templates, ownership)
- Configuration of first expiry alerts
- Excel / audit export and management summary
Why Blackfort
Experience in regulated PKI environments
Certificates are technically unspectacular – and at the same time a load-bearing part of regulated IT architectures. We have worked for many years exactly at this intersection of cryptography, regulatory expectation and operational reality.
PKI experience
Long-standing project experience with internal and outsourced PKI in regulated environments.
Regulated sectors
Work with financial entities, critical infrastructure operators, public administration and healthcare.
Official DigiCert partner
Established partnership with DigiCert for public certificates and trust services.
Public administration PKI & gematik
Experience with public-sector PKI and gematik-relevant architectures in the German healthcare ecosystem.
Thales nShield Certified
Certified security expert for Thales nShield HSM – robust key custody.
NIS2, DORA, ISO 27001 focus
Advisory aligned with recognised regulatory and standardisation frameworks.
On-prem perspective
Local, read-only evaluation. No forced cloud transfer of internal certificate data.
Frequently asked questions
Is Blackfort Certificate Intelligence already a full CLM system?
No. Blackfort Certificate Intelligence is not a full Certificate Lifecycle Management product. The current pilot covers Microsoft ADCS export, Azure Key Vault and Azure App Service discovery, structured intake for ICT third-party certificates, a manual intake process for OT/IoT certificates, configurable expiry alerts and an audit-ready Excel / register export. Automated renewals, agentless network discovery and full enterprise CLM platforms are not part of the current state.
Does the pilot support cloud certificates?
Yes. The pilot covers Azure Key Vault and Azure App Service certificates. Both are evaluated via Azure APIs against your tenants and subscriptions. AWS Certificate Manager and GCP Certificate Manager are planned integrations but are not part of the current pilot.
How are ICT third-party providers covered?
For ICT third parties, the pilot supports a structured manual import into the certificate register. Third-party certificate data can be consolidated with internal inventories – including expiry analysis, ownership and governance findings. Automated discovery at third-party providers is not part of the MVP.
How are OT / IoT certificates covered?
For OT and IoT environments, the pilot starts with a documented manual intake process with register integration. This brings in certificates from areas that are regulatorily relevant but often not directly scannable. Automated OT/IoT discovery is not part of the pilot.
Are configurable expiry alerts available?
Yes. Escalation windows can be configured per service class – for example 90 days for critical external services, 30 days for internal standard services. Expiry risk can therefore be made visible in a differentiated way.
Are Jira tickets created automatically?
Not in the current state. Jira-based renewal workflows are a planned integration. Findings and expiry alerts are exported today in a structured format (Excel / CSV) and can be moved into existing ITSM processes manually.
Does it support DigiCert?
A DigiCert integration is on the roadmap but not part of the current pilot. Blackfort is an official DigiCert partner; the plan is to evaluate DigiCert certificates alongside ADCS and Azure inventories in the register.
Is a cloud platform required to use it?
No. The evaluation runs in your environment. For Azure data sources, only Azure APIs are queried against your own tenants and subscriptions – no additional third-party platform persists your certificate data.
Will the Microsoft CA be modified?
No. The approach for the Microsoft CA remains strictly read-only. Data is exported and analysed; no templates are changed, no certificates are issued or revoked and no productive settings are modified.
Is PRTG not sufficient?
PRTG can monitor individual endpoints and their TLS certificates very effectively. What PRTG does not provide is a cross-source governance view of all certificates issued by ADCS and Azure, including templates, algorithms and wildcard usage. PRTG reconciliation is a planned integration.
Is it mandatory for DORA or NIS2 compliance?
No. What is mandatory are DORA, NIS2 and comparable regulations themselves – not any particular product. Blackfort Certificate Intelligence is a tool to operationalise the governance and inventory expectations of DORA Art. 7(4) RTS, NIS2 and ISO 27001 for certificates.
Kontakt aufnehmen
Build a DORA-Compliant Certificate Register
Let us analyse your certificate posture and establish an inventory process that meets regulatory requirements.