Blackfort PKI Assessment

Most organisations operate a certificate landscape that has grown over years and that no one fully oversees: self-signed certificates on servers, appliances and internal applications; wildcard certificates protecting several external services at once; an installed but underused internal Microsoft Certificate Authority; unclear ownership for renewals; and no single source of truth for expiry dates, algorithms or intended usage.

In regulated environments this translates into a twofold risk. Operationally, an undetected expired certificate can trigger a production incident. From an audit angle, DORA, NIS2, ISO 27001 and the relevant BSI requirements expect documented, traceable management of cryptographic identities. Auditors accept neither informal spreadsheets nor "we know our most important certificates".

The Blackfort PKI Assessment addresses exactly this gap. It is delivered as a productised fixed-price offering – not as an open-ended consulting mandate. Within four to eight weeks you receive a robust decision basis: what is in use, what carries risk, what is the next step.

Blackfort does not just rate individual certificates – we assess your overall machine identity and PKI governance: technically, organisationally and against regulatory requirements. Connecting regulatory guidance with technical execution is the core positioning of Blackfort Technology, and it is particularly relevant in a PKI assessment because the most common findings sit precisely on the seam between technology and accountability.

In practice, this means we combine certificate discovery and ADCS template review with the question of who in the organisation owns renewal, revocation and algorithm migration – and where these responsibilities are currently missing or unclear. Both perspectives produce a prioritised action plan that is workable in the technical team and presentable in the steering committee.

The assessment is vendor-neutral. We work with what is in place – Microsoft ADCS, EJBCA, cloud PKI, commercial CAs, ACME automation – and recommend additional tooling only where it demonstrably closes a gap.

The scope is tiered across the three packages, but follows the same methodology throughout: capture, assessment, prioritisation, roadmap. We bring the methodology and tooling, you provide the contacts and access to the relevant systems.

Depending on the selected package the assessment covers: an inventory of existing certificate sources; analysis of internal and external TLS certificates; identification of self-signed certificates; evaluation of wildcard certificates; review of Microsoft ADCS, EJBCA or cloud PKI structures; analysis of expiry, operational and ownership risks; and a review of cryptography, validity periods and certificate profiles.

On top of the technical findings we map results against DORA Art. 8, NIS2 Art. 21, ISO 27001:2022 Annex A.8.24 and the applicable BSI requirements. From there we build a roadmap for Certificate Lifecycle Management with a clean separation between short-term hardening measures and medium-term architectural decisions.

Every PKI Assessment closes with a defined set of deliverables that feeds directly into internal decision-making and audit processes. We do not deliver a 200-page PDF that no one reads – we deliver focused documents written for clearly identified audiences.

Concretely you receive a certificate risk overview of the identified findings, a management summary for IT leadership, the CISO and (where relevant) the DORA programme owner, a technical findings list per certificate or CA configuration, a prioritised action roadmap with effort indication, and a target picture for PKI and Certificate Lifecycle Management.

On request we extend the written deliverables with a presentation for IT leadership, the CISO or the DORA programme – including a short Q&A with the assessment team.