
Product
Blackfort Certificate Intelligence
Read-only multi-CA certificate inventory with governance: five CA connectors (ADCS, EJBCA, HashiCorp Vault PKI, step-ca, Azure Key Vault), an own TLS scanner, CT log monitoring and air-gap import – without private keys. With revocation status, DORA analysis, RBAC and audit trail as a container or OVA.
A compact product overview as a slide deck – all sources, fields and analyses at a glance.
Positioning
Not another CA – transparency over your existing certificate inventories.
Blackfort Certificate Intelligence does not replace a CA or a monitoring pipeline – it makes inventory, risks, revocation status and governance visible across five CA platforms, TLS scanning, CT log and air-gap import. Strictly read-only, without private keys.
Microsoft ADCS
Issues internal certificates. Does not provide a consolidated risk, expiry or governance view across what it has issued.
Azure / DigiCert
Cloud and public CA platforms provide certificates. A cross-source governance view that also covers internal CA inventories is not in scope.
PRTG / Monitoring
Monitors individual endpoints and TLS expiry. Does not see what the internal sources have issued overall, or how it should be classified in governance terms.
Blackfort Certificate Intelligence
Makes inventory, risks, revocation status, ownership and expiry across five CA platforms, TLS scanning, CT log and air-gap visible – strictly read-only, without private keys, as a basis for governance, DORA, NIS2 and audit.
Technical approach
Architecture & data flow
The data flow is intentionally lean and strictly read-only. Lean exporters per CA platform write into a stable, versioned exchange format (exchange-v1); the logic lives centrally in the web register. SHA-256 fingerprint as primary key, import as upsert/merge – private keys are never processed.
Sources & intake
AvailableMicrosoft ADCS
CA connector (read-only)
EJBCA
CA connector (read-only)
HashiCorp Vault PKI
CA connector (read-only)
smallstep step-ca
CA connector (read-only)
Azure Key Vault
CA connector (read-only)
TLS scanner
Read-only fetch per host:port
CT log monitoring
Publicly trusted certificates (external)
Air-gap file import
Isolated segments
- 01
Read-only collection
Lean exporters per CA platform, a TLS scanner, CT log monitoring and air-gap import deliver only public certificate parts and metadata – never private keys.
- 02
Normalisation (exchange-v1)
All sources write into a stable, versioned JSON-schema exchange format. SHA-256 fingerprint as primary key, import as upsert/merge – never replace.
- 03
Central register
Consolidated inventory across all sources – technical, governance and provenance fields, origin class managed / external / mixed.
- 04
Compliance intelligence
Expiry escalation, weak crypto, self-signed, wildcard, key reuse, orphans; revocation status via CRL/OCSP, chain/trust resolution, append-only audit trail.
- 05
Analysis & output
DORA analysis views, XLSX / CSV export, Teams notifications and soft archive – usable for DORA, NIS2 and ISO 27001 reviews.
Available feature set
What Blackfort Certificate Intelligence delivers today
The following capabilities are available and validated at the PKI test lab. They are deliberately not a full Certificate Lifecycle Management with automated renewals – they are a robust, audit-ready governance view across multiple CA platforms, strictly read-only and without private keys.
Read-only · no private key
5 CA connectors
Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca and Azure Key Vault – strictly read-only, validated at the PKI test lab.
Own TLS scanner
Lean, read-only certificate fetch per host:port. No cipher probing, no interference with productive services.
CT log monitoring
Monitoring of publicly trusted certificates for your domains via Certificate Transparency logs – clearly tagged as “external”.
Air-gap file import
Capture from isolated network segments via file import – even without a network connection to the central register.
Central certificate inventory
Consolidated register across all sources with SHA-256 fingerprint as key; upsert/merge preserves governance fields.
Governance data model
Critical / important function, responsible owner, function / process, orphan status and free custom columns per certificate.
Revocation status (CRL & OCSP)
Read-only checks via CRL (CDP) and OCSP (AIA) including a “revoked but still active” column.
Chain & trust resolution
Resolution of certificate chains and trust relationships via AKI / SKI.
Compliance findings
Weak crypto (RSA < 2048 / SHA-1), self-signed on a critical function, wildcard, key reuse (shared SPKI) and orphans.
DORA analysis views
Prepared quick filters and views for DORA-relevant analysis across the whole inventory.
Expiry escalation by service class
Configurable escalation windows per service class – expiry risks become visible differentiated by criticality.
Teams notifications
Configurable thresholds and toggles plus an optional daily digest directly in Microsoft Teams.
RBAC, audit trail & soft archive
Web login with roles (admin / viewer), append-only audit trail and reversible, audited soft archive instead of hard deletion.
Product in action
The real Certificate Intelligence interface
The following views come from the running application. Inventory, governance fields, DORA quick filters, revocation status and the central agent management – this is what the central web register looks like.





Note: all data shown is synthetic (example domains such as example.com / demo.internal) and only illustrates the interface, not real customer inventories.
Data model
The data model: three field classes
Every certificate carries three clearly separated field classes. Technical fields come unchanged from the certificate, governance fields are maintained, provenance fields show how current an entry is.
Technical fields
immutableParsed directly from the certificate: subject, issuer, validity, key/algorithm, SANs, serial, fingerprint. Immutable.
Governance fields
editableSupports a critical / important function, responsible owner, function / process, orphan marker and freely defined custom columns.
Provenance
tracked separatelyLast imported and last seen are tracked separately – making it visible whether a certificate is still actively observed or only held historically.
Operations & delivery
Runs in your environment
Container & VM appliance
Delivered as Docker Compose (air-gap capable) and as a VM appliance (OVA). Installed in your environment.
Two agent output modes
HTTPS push with token or air-gap file export. Agents are managed centrally in the frontend – create, revoke and rotate tokens.
XLSX / CSV export
Audit-ready export for certificate registers, reviews and hand-over into existing processes.
Possible findings
Illustrative governance and risk findings
The view below is illustrative and shows typical finding types from real multi-CA, TLS-scan and CT-log inventories – not the live state of a specific customer.
Illustration
Certificate Intelligence – sample analysis (demo)
Per-source breakdown
Certificate expires in 14 days
highCN=portal.intern.example • Template: WebServer-2016
Critical certificate of an internal portal with no documented renewal accountability.
Azure Key Vault: expiry in 21 days
highkv-prod-eu / payment-api-cert
Cloud certificate of a payment-relevant API. No renewal owner is set in the Vault tags.
Wildcard certificate detected
highCN=*.intern.example • Multi-Service
Wildcard with wide-reaching implicit usage across multiple services.
Revoked but still active
highOCSP: revoked • endpoint keeps serving the certificate
Certificate is revoked according to OCSP but is still presented over a reachable endpoint.
Weak RSA key
mediumRSA 1024 • SHA-1
Certificate with outdated key length and weak signature algorithm on an important function.
Key reuse across certificates
mediumshared SPKI • 6 certificates
Several certificates share the same public key (SPKI) – one compromised key would affect them all.
Self-signed on a critical function
mediumCN=demo.internal • self-signed
Self-signed certificate is assigned to a function marked as critical.
CT log: unknown external certificate
mediumorigin_class: external • *.example.com
Certificate Transparency surfaced a publicly trusted certificate for a monitored domain that is not in the managed inventory.
Missing ownership (aggregate)
low34 certificates without owner
A material number of issued certificates have no assigned accountability.
Missing governance documentation
lowTemplate and enrolment permissions
Template rights and enrolment configuration are not currently documented.
Grown PKI
Make PKI governance visible across all CAs
Many organisations operate their certificate authorities – Microsoft ADCS, EJBCA, HashiCorp Vault PKI, step-ca – for years without structured governance. Certificate landscapes grow organically and no one fully owns the picture of inventory, risks or expiry. With Azure Key Vault and publicly trusted certificates, additional inventories emerge that are often not consolidated with the internal register.
Regulator and audit questions then hit a reality that can only be reconstructed with significant effort. The goal is not alarmism but a calm, audit-ready view of the actual inventory.
What is often missing for years
- Governance over issued certificates
- Ownership and accountability
- Lifecycle transparency and expiry overview
- Template review and enrolment rights
- Audit-readiness on request
Assessment
Certificate Governance Pilot Assessment
The assessment delivers a first robust view of your relevant certificate inventories from the connected CA platforms (ADCS, EJBCA, HashiCorp Vault PKI, step-ca, Azure Key Vault) as well as TLS scan and CT log. The approach is strictly read-only and non-invasive – no productive settings are changed, no certificates are issued or revoked, and private keys are never processed.
The output is a consolidated register, a technical risk and expiry analysis and a governance classification with management summary – usable for internal reviews, DORA / NIS2 preparation and ISO 27001 audits.
Assessment deliverables
- Read-only connection of your CA platforms (ADCS, EJBCA, Vault PKI, step-ca, Azure Key Vault)
- TLS scan of relevant host:port endpoints and CT log reconciliation
- Consolidated register with SHA-256 fingerprint as key
- Risk and compliance findings including revocation status (CRL/OCSP)
- Governance classification: critical / important function, ownership, orphans
- DORA analysis views and expiry analysis
- Management summary and audit export (XLSX/CSV)
Security & trust
Deliberately built to be restrained
Certificate Intelligence is an inventory, not a key store. It only sees what is publicly visible anyway – which keeps it usable even in highly regulated and isolated environments.
Read-only
Non-invasive, no productive changes to CAs, templates or services.
No private key
Never private keys – only public certificate parts and metadata.
Air-gap capable
Docker Compose and file import for isolated segments without a network connection.
Container & OVA
Delivered as Docker Compose or VM appliance – installed in your environment.
RBAC & web login
Role-based access: admin writes, viewer reads.
Append-only audit trail
Traceable history; archive instead of delete (reversible, audited).
DORA reference
Where Certificate Intelligence provides evidence
Certificates are ICT assets. Certificate Intelligence addresses several DORA requirements and provides evidence for them – it does not replace a legal assessment and does not guarantee compliance, it makes the inventory auditable.
Identification & classification
Identify and classify certificates as ICT assets and map them to critical / important functions.
Protection & prevention
Cryptography plus key and certificate lifecycle: weak crypto, expiry, revocation status, key reuse.
Third-party risk
Make CA, third-party and concentration risk visible – a basis for the information register.
Also supports the inventory and governance expectations of NIS2 and ISO 27001.
Getting started
60 days free – fully in your hands
You install Certificate Intelligence yourself as a container or OVA and use it free of charge for 60 days with the full feature set. After that it scales with the number of certificates. On request we support the installation.
60 days free
Full feature set without restriction – evaluate at your own pace in your own environment.
Self-install
You install the container (Docker Compose) or VM appliance (OVA) yourself.
Scales with inventory
Usage scales with the number of certificates. Optional installation support.
Why Blackfort
Experience in regulated PKI environments
Certificates are technically unspectacular – and at the same time a load-bearing part of regulated IT architectures. We have worked for many years exactly at this intersection of cryptography, regulatory expectation and operational reality.
PKI experience
Long-standing project experience with internal and outsourced PKI in regulated environments.
Regulated environments
Work with financial entities, critical infrastructure, public administration and healthcare.
Official DigiCert partner
Established partnership with DigiCert for public certificates and trust services.
Public administration PKI & gematik
Experience with public-sector PKI and gematik-relevant architectures in the German healthcare ecosystem.
Thales nShield Certified
Certified security expert for Thales nShield HSM – robust key custody.
DORA, NIS2, ISO 27001
Advisory aligned with recognised regulatory and standardisation frameworks.
German on-prem perspective
Local evaluation in your environment – also when reaching out to Azure sources via your tenants.
Frequently asked questions
Is Blackfort Certificate Intelligence already a full CLM system?
No. Blackfort Certificate Intelligence is a certificate inventory with governance and compliance intelligence, not a full Certificate Lifecycle Management product. Available are five CA connectors (Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca, Azure Key Vault), an own TLS scanner, CT log monitoring, air-gap import, revocation status checks via CRL/OCSP, chain/trust resolution, DORA analysis views, RBAC, Teams notifications, an audit trail and XLSX/CSV export. Automated renewal processes are deliberately not part of the current state.
Which source systems are supported today?
Available today and validated at the PKI test lab are five CA connectors: Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca and Azure Key Vault. In addition there is an own lean TLS scanner (read-only certificate fetch per host:port, no cipher probing), CT log monitoring for publicly trusted certificates of your domains, and an air-gap file import for isolated segments.
Are private keys read or stored?
No. Certificate Intelligence is an inventory, not a key store. It processes only public certificate parts and metadata – never private keys. The approach is strictly read-only and non-invasive.
How are externally discovered certificates handled?
Publicly trusted certificates of your domains discovered via CT log monitoring are clearly tagged as “external”. Each certificate carries an origin class (managed, external or mixed), so internally managed and externally observed inventories stay cleanly separated.
Are configurable expiry alerts and notifications available?
Yes. Expiry escalation is per service class. In addition there are Teams notifications with configurable thresholds and toggles plus an optional daily digest. This makes expiry and risk findings visible in a differentiated way, right where teams already work.
How is the product operated and delivered?
Certificate Intelligence runs in your environment – as a container (Docker Compose, air-gap capable) or as a VM appliance (OVA). Access is via a web login with RBAC (admin writes, viewer reads). Agents are managed centrally in the frontend, with two output modes: HTTPS push with token or air-gap file export; tokens can be created, revoked and rotated.
Will Jira tickets be created automatically?
Not in the current state. Findings and expiry results are exported in a structured format (XLSX/CSV) and can be moved into existing ITSM processes manually.
Does it already support DigiCert?
Not part of the current pilot. Blackfort is an official DigiCert partner for public certificates and trust services.
Is a cloud platform required to use it?
No. The evaluation runs in your environment, as a container or VM appliance. For Azure Key Vault, only Azure APIs are queried against your own tenants and subscriptions – no additional third-party platform persists your certificate data.
Will the CAs be modified?
No. The approach is strictly read-only and non-invasive. Data is read and analysed; no templates are changed, no certificates are issued or revoked and no productive settings are modified. Private keys are never processed.
Is PRTG not sufficient?
PRTG can monitor individual endpoints and their TLS certificates very effectively. What PRTG does not provide is a cross-source governance view across multiple CA platforms – including revocation status (CRL/OCSP), chain/trust resolution, key reuse and governance fields such as critical function and ownership.
Does it support Linux or Kubernetes?
The five CA connectors (ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca, Azure Key Vault) already cover mixed Linux/Windows PKI landscapes; the TLS scanner is platform-independent. Deeper Kubernetes integration (cert-manager, workload certificates) is not part of the current state.
Is it required for DORA or NIS2 compliance?
No. What is mandatory are DORA, NIS2 and comparable regulations themselves – not any particular product. Certificate Intelligence addresses the required governance and inventory function for certificates (including DORA Art. 8, 9 and 28–30) and provides evidence for it; it does not guarantee compliance and does not replace a legal assessment.
Product overview as PDF
Slide deck covering sources, data model, compliance checks and DORA reference.
Kontakt aufnehmen
Running several CA platforms – and want to see what's actually in circulation?
Certificate Intelligence inventories ADCS, EJBCA, Vault PKI, step-ca and Azure Key Vault strictly read-only, including TLS scan and CT log. Let us schedule a first pilot conversation.