Blackfort Technology
Blackfort Certificate Intelligence
Validated at the PKI test lab

Product

Blackfort Certificate Intelligence

Read-only multi-CA certificate inventory with governance: five CA connectors (ADCS, EJBCA, HashiCorp Vault PKI, step-ca, Azure Key Vault), an own TLS scanner, CT log monitoring and air-gap import – without private keys. With revocation status, DORA analysis, RBAC and audit trail as a container or OVA.

A compact product overview as a slide deck – all sources, fields and analyses at a glance.

Product overview (PDF)

Positioning

Not another CA – transparency over your existing certificate inventories.

Blackfort Certificate Intelligence does not replace a CA or a monitoring pipeline – it makes inventory, risks, revocation status and governance visible across five CA platforms, TLS scanning, CT log and air-gap import. Strictly read-only, without private keys.

Microsoft ADCS

Issues internal certificates. Does not provide a consolidated risk, expiry or governance view across what it has issued.

Azure / DigiCert

Cloud and public CA platforms provide certificates. A cross-source governance view that also covers internal CA inventories is not in scope.

PRTG / Monitoring

Monitors individual endpoints and TLS expiry. Does not see what the internal sources have issued overall, or how it should be classified in governance terms.

Blackfort Certificate Intelligence

Makes inventory, risks, revocation status, ownership and expiry across five CA platforms, TLS scanning, CT log and air-gap visible – strictly read-only, without private keys, as a basis for governance, DORA, NIS2 and audit.

Technical approach

Architecture & data flow

The data flow is intentionally lean and strictly read-only. Lean exporters per CA platform write into a stable, versioned exchange format (exchange-v1); the logic lives centrally in the web register. SHA-256 fingerprint as primary key, import as upsert/merge – private keys are never processed.

Sources & intake

Available

Microsoft ADCS

CA connector (read-only)

EJBCA

CA connector (read-only)

HashiCorp Vault PKI

CA connector (read-only)

smallstep step-ca

CA connector (read-only)

Azure Key Vault

CA connector (read-only)

TLS scanner

Read-only fetch per host:port

CT log monitoring

Publicly trusted certificates (external)

Air-gap file import

Isolated segments

  1. 01

    Read-only collection

    Lean exporters per CA platform, a TLS scanner, CT log monitoring and air-gap import deliver only public certificate parts and metadata – never private keys.

  2. 02

    Normalisation (exchange-v1)

    All sources write into a stable, versioned JSON-schema exchange format. SHA-256 fingerprint as primary key, import as upsert/merge – never replace.

  3. 03

    Central register

    Consolidated inventory across all sources – technical, governance and provenance fields, origin class managed / external / mixed.

  4. 04

    Compliance intelligence

    Expiry escalation, weak crypto, self-signed, wildcard, key reuse, orphans; revocation status via CRL/OCSP, chain/trust resolution, append-only audit trail.

  5. 05

    Analysis & output

    DORA analysis views, XLSX / CSV export, Teams notifications and soft archive – usable for DORA, NIS2 and ISO 27001 reviews.

Available feature set

What Blackfort Certificate Intelligence delivers today

The following capabilities are available and validated at the PKI test lab. They are deliberately not a full Certificate Lifecycle Management with automated renewals – they are a robust, audit-ready governance view across multiple CA platforms, strictly read-only and without private keys.

Read-only · no private key

5 CA connectors

Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca and Azure Key Vault – strictly read-only, validated at the PKI test lab.

Own TLS scanner

Lean, read-only certificate fetch per host:port. No cipher probing, no interference with productive services.

CT log monitoring

Monitoring of publicly trusted certificates for your domains via Certificate Transparency logs – clearly tagged as “external”.

Air-gap file import

Capture from isolated network segments via file import – even without a network connection to the central register.

Central certificate inventory

Consolidated register across all sources with SHA-256 fingerprint as key; upsert/merge preserves governance fields.

Governance data model

Critical / important function, responsible owner, function / process, orphan status and free custom columns per certificate.

Revocation status (CRL & OCSP)

Read-only checks via CRL (CDP) and OCSP (AIA) including a “revoked but still active” column.

Chain & trust resolution

Resolution of certificate chains and trust relationships via AKI / SKI.

Compliance findings

Weak crypto (RSA < 2048 / SHA-1), self-signed on a critical function, wildcard, key reuse (shared SPKI) and orphans.

DORA analysis views

Prepared quick filters and views for DORA-relevant analysis across the whole inventory.

Expiry escalation by service class

Configurable escalation windows per service class – expiry risks become visible differentiated by criticality.

Teams notifications

Configurable thresholds and toggles plus an optional daily digest directly in Microsoft Teams.

RBAC, audit trail & soft archive

Web login with roles (admin / viewer), append-only audit trail and reversible, audited soft archive instead of hard deletion.

Product in action

The real Certificate Intelligence interface

The following views come from the running application. Inventory, governance fields, DORA quick filters, revocation status and the central agent management – this is what the central web register looks like.

Demo data / synthetic
Central inventory
Central certificate inventory of Blackfort Certificate Intelligence with synthetic demo data
Consolidated view across all sources, with SHA-256 fingerprint, origin class and status.
DORA governance fields
Governance fields of a certificate including critical function, with synthetic demo data
Critical / important function, responsible owner, function / process and custom columns per certificate.
DORA quick filters
DORA quick filters for expiry of critical and important functions, with synthetic demo data
Prepared analysis views – expiry critical / important in one click.
Revoked but still active
View of revoked but still active certificates, with synthetic demo data
Revocation status from CRL and OCSP – including the risky combination of revoked and still reachable.
Multi-source & agent management
Central management of sources and agents in Blackfort Certificate Intelligence, with synthetic demo data
Manage agents centrally in the frontend – create, revoke and rotate tokens, with per-source output mode HTTPS push or air-gap file export.

Note: all data shown is synthetic (example domains such as example.com / demo.internal) and only illustrates the interface, not real customer inventories.

Data model

The data model: three field classes

Every certificate carries three clearly separated field classes. Technical fields come unchanged from the certificate, governance fields are maintained, provenance fields show how current an entry is.

Technical fields

immutable

Parsed directly from the certificate: subject, issuer, validity, key/algorithm, SANs, serial, fingerprint. Immutable.

Governance fields

editable

Supports a critical / important function, responsible owner, function / process, orphan marker and freely defined custom columns.

Provenance

tracked separately

Last imported and last seen are tracked separately – making it visible whether a certificate is still actively observed or only held historically.

Operations & delivery

Runs in your environment

Container & VM appliance

Delivered as Docker Compose (air-gap capable) and as a VM appliance (OVA). Installed in your environment.

Two agent output modes

HTTPS push with token or air-gap file export. Agents are managed centrally in the frontend – create, revoke and rotate tokens.

XLSX / CSV export

Audit-ready export for certificate registers, reviews and hand-over into existing processes.

Possible findings

Illustrative governance and risk findings

The view below is illustrative and shows typical finding types from real multi-CA, TLS-scan and CT-log inventories – not the live state of a specific customer.

Illustration

Certificate Intelligence – sample analysis (demo)

2,148
Certificates total
47
Expiry < 30 days
37
Risk findings

Per-source breakdown

1,402
Microsoft ADCS
264
EJBCA
208
Vault PKI / step-ca
318
Azure Key Vault
156
TLS scan / CT log
10 High18 Medium9 Low

Certificate expires in 14 days

high

CN=portal.intern.example • Template: WebServer-2016

Critical certificate of an internal portal with no documented renewal accountability.

Azure Key Vault: expiry in 21 days

high

kv-prod-eu / payment-api-cert

Cloud certificate of a payment-relevant API. No renewal owner is set in the Vault tags.

Wildcard certificate detected

high

CN=*.intern.example • Multi-Service

Wildcard with wide-reaching implicit usage across multiple services.

Revoked but still active

high

OCSP: revoked • endpoint keeps serving the certificate

Certificate is revoked according to OCSP but is still presented over a reachable endpoint.

Weak RSA key

medium

RSA 1024 • SHA-1

Certificate with outdated key length and weak signature algorithm on an important function.

Key reuse across certificates

medium

shared SPKI • 6 certificates

Several certificates share the same public key (SPKI) – one compromised key would affect them all.

Self-signed on a critical function

medium

CN=demo.internal • self-signed

Self-signed certificate is assigned to a function marked as critical.

CT log: unknown external certificate

medium

origin_class: external • *.example.com

Certificate Transparency surfaced a publicly trusted certificate for a monitored domain that is not in the managed inventory.

Missing ownership (aggregate)

low

34 certificates without owner

A material number of issued certificates have no assigned accountability.

Missing governance documentation

low

Template and enrolment permissions

Template rights and enrolment configuration are not currently documented.

Grown PKI

Make PKI governance visible across all CAs

Many organisations operate their certificate authorities – Microsoft ADCS, EJBCA, HashiCorp Vault PKI, step-ca – for years without structured governance. Certificate landscapes grow organically and no one fully owns the picture of inventory, risks or expiry. With Azure Key Vault and publicly trusted certificates, additional inventories emerge that are often not consolidated with the internal register.

Regulator and audit questions then hit a reality that can only be reconstructed with significant effort. The goal is not alarmism but a calm, audit-ready view of the actual inventory.

What is often missing for years

  • Governance over issued certificates
  • Ownership and accountability
  • Lifecycle transparency and expiry overview
  • Template review and enrolment rights
  • Audit-readiness on request

Assessment

Certificate Governance Pilot Assessment

The assessment delivers a first robust view of your relevant certificate inventories from the connected CA platforms (ADCS, EJBCA, HashiCorp Vault PKI, step-ca, Azure Key Vault) as well as TLS scan and CT log. The approach is strictly read-only and non-invasive – no productive settings are changed, no certificates are issued or revoked, and private keys are never processed.

The output is a consolidated register, a technical risk and expiry analysis and a governance classification with management summary – usable for internal reviews, DORA / NIS2 preparation and ISO 27001 audits.

Assessment deliverables

  • Read-only connection of your CA platforms (ADCS, EJBCA, Vault PKI, step-ca, Azure Key Vault)
  • TLS scan of relevant host:port endpoints and CT log reconciliation
  • Consolidated register with SHA-256 fingerprint as key
  • Risk and compliance findings including revocation status (CRL/OCSP)
  • Governance classification: critical / important function, ownership, orphans
  • DORA analysis views and expiry analysis
  • Management summary and audit export (XLSX/CSV)
Request assessment

Security & trust

Deliberately built to be restrained

Certificate Intelligence is an inventory, not a key store. It only sees what is publicly visible anyway – which keeps it usable even in highly regulated and isolated environments.

Read-only

Non-invasive, no productive changes to CAs, templates or services.

No private key

Never private keys – only public certificate parts and metadata.

Air-gap capable

Docker Compose and file import for isolated segments without a network connection.

Container & OVA

Delivered as Docker Compose or VM appliance – installed in your environment.

RBAC & web login

Role-based access: admin writes, viewer reads.

Append-only audit trail

Traceable history; archive instead of delete (reversible, audited).

DORA reference

Where Certificate Intelligence provides evidence

Certificates are ICT assets. Certificate Intelligence addresses several DORA requirements and provides evidence for them – it does not replace a legal assessment and does not guarantee compliance, it makes the inventory auditable.

DORA Art. 8

Identification & classification

Identify and classify certificates as ICT assets and map them to critical / important functions.

DORA Art. 9

Protection & prevention

Cryptography plus key and certificate lifecycle: weak crypto, expiry, revocation status, key reuse.

DORA Art. 28&ndash;30

Third-party risk

Make CA, third-party and concentration risk visible – a basis for the information register.

Also supports the inventory and governance expectations of NIS2 and ISO 27001.

Getting started

60 days free – fully in your hands

You install Certificate Intelligence yourself as a container or OVA and use it free of charge for 60 days with the full feature set. After that it scales with the number of certificates. On request we support the installation.

60 days free

Full feature set without restriction – evaluate at your own pace in your own environment.

Self-install

You install the container (Docker Compose) or VM appliance (OVA) yourself.

Scales with inventory

Usage scales with the number of certificates. Optional installation support.

Why Blackfort

Experience in regulated PKI environments

Certificates are technically unspectacular – and at the same time a load-bearing part of regulated IT architectures. We have worked for many years exactly at this intersection of cryptography, regulatory expectation and operational reality.

PKI experience

Long-standing project experience with internal and outsourced PKI in regulated environments.

Regulated environments

Work with financial entities, critical infrastructure, public administration and healthcare.

Official DigiCert partner

Established partnership with DigiCert for public certificates and trust services.

Public administration PKI & gematik

Experience with public-sector PKI and gematik-relevant architectures in the German healthcare ecosystem.

Thales nShield Certified

Certified security expert for Thales nShield HSM – robust key custody.

DORA, NIS2, ISO 27001

Advisory aligned with recognised regulatory and standardisation frameworks.

German on-prem perspective

Local evaluation in your environment – also when reaching out to Azure sources via your tenants.

Frequently asked questions

Is Blackfort Certificate Intelligence already a full CLM system?

No. Blackfort Certificate Intelligence is a certificate inventory with governance and compliance intelligence, not a full Certificate Lifecycle Management product. Available are five CA connectors (Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca, Azure Key Vault), an own TLS scanner, CT log monitoring, air-gap import, revocation status checks via CRL/OCSP, chain/trust resolution, DORA analysis views, RBAC, Teams notifications, an audit trail and XLSX/CSV export. Automated renewal processes are deliberately not part of the current state.

Which source systems are supported today?

Available today and validated at the PKI test lab are five CA connectors: Microsoft ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca and Azure Key Vault. In addition there is an own lean TLS scanner (read-only certificate fetch per host:port, no cipher probing), CT log monitoring for publicly trusted certificates of your domains, and an air-gap file import for isolated segments.

Are private keys read or stored?

No. Certificate Intelligence is an inventory, not a key store. It processes only public certificate parts and metadata – never private keys. The approach is strictly read-only and non-invasive.

How are externally discovered certificates handled?

Publicly trusted certificates of your domains discovered via CT log monitoring are clearly tagged as “external”. Each certificate carries an origin class (managed, external or mixed), so internally managed and externally observed inventories stay cleanly separated.

Are configurable expiry alerts and notifications available?

Yes. Expiry escalation is per service class. In addition there are Teams notifications with configurable thresholds and toggles plus an optional daily digest. This makes expiry and risk findings visible in a differentiated way, right where teams already work.

How is the product operated and delivered?

Certificate Intelligence runs in your environment – as a container (Docker Compose, air-gap capable) or as a VM appliance (OVA). Access is via a web login with RBAC (admin writes, viewer reads). Agents are managed centrally in the frontend, with two output modes: HTTPS push with token or air-gap file export; tokens can be created, revoked and rotated.

Will Jira tickets be created automatically?

Not in the current state. Findings and expiry results are exported in a structured format (XLSX/CSV) and can be moved into existing ITSM processes manually.

Does it already support DigiCert?

Not part of the current pilot. Blackfort is an official DigiCert partner for public certificates and trust services.

Is a cloud platform required to use it?

No. The evaluation runs in your environment, as a container or VM appliance. For Azure Key Vault, only Azure APIs are queried against your own tenants and subscriptions – no additional third-party platform persists your certificate data.

Will the CAs be modified?

No. The approach is strictly read-only and non-invasive. Data is read and analysed; no templates are changed, no certificates are issued or revoked and no productive settings are modified. Private keys are never processed.

Is PRTG not sufficient?

PRTG can monitor individual endpoints and their TLS certificates very effectively. What PRTG does not provide is a cross-source governance view across multiple CA platforms – including revocation status (CRL/OCSP), chain/trust resolution, key reuse and governance fields such as critical function and ownership.

Does it support Linux or Kubernetes?

The five CA connectors (ADCS, EJBCA, HashiCorp Vault PKI, smallstep step-ca, Azure Key Vault) already cover mixed Linux/Windows PKI landscapes; the TLS scanner is platform-independent. Deeper Kubernetes integration (cert-manager, workload certificates) is not part of the current state.

Is it required for DORA or NIS2 compliance?

No. What is mandatory are DORA, NIS2 and comparable regulations themselves – not any particular product. Certificate Intelligence addresses the required governance and inventory function for certificates (including DORA Art. 8, 9 and 28–30) and provides evidence for it; it does not guarantee compliance and does not replace a legal assessment.

Product overview as PDF

Slide deck covering sources, data model, compliance checks and DORA reference.

Download PDF

Kontakt aufnehmen

Running several CA platforms – and want to see what's actually in circulation?

Certificate Intelligence inventories ADCS, EJBCA, Vault PKI, step-ca and Azure Key Vault strictly read-only, including TLS scan and CT log. Let us schedule a first pilot conversation.