Identity & Trust AI Security Security Program Research Contact
Core Practice

Identity & Trust Infrastructure

Certificates, keys, and machine identities are the infrastructure holding your digital trust together—and it is under more pressure than most organizations realize. We assess the foundation before anyone deploys a platform on top of it.

Vendor startup services deploy a tool. They don’t deliver a program.

Most certificate-lifecycle problems are diagnosed as tooling problems. They are sometimes compounded by architecture problems wearing a tooling costume. A certificate-management platform deployed on top of a failing certificate authority does not fix the authority—it potentially automates the failure.

Vendor professional services install and configure the platform, cover a handful of representative use cases, and exit at the contracted handoff. That is what they are paid to do. But PKI architecture, governance, migration sequencing, integration, and the operational long tail sit outside that scope—and that is where most CLM programs stall and quietly become shelfware. Sometimes the right next step isn’t CLM first. It’s the PKI underneath that needs stabilization first.

Cedrus Strategic delivers the architecture, governance, and program work that vendor PS doesn’t—with or without a vendor startup in flight.

The Trust Surface Is Bigger Than Your Certificates

A typical discovery scan finds 30–40% more certificates than the documented inventory—and certificates are only the visible tip.

Certificates & the Trust Chain

TLS, code-signing, S/MIME, client-auth, device, and IoT certificates. Break any link—expired cert, revoked intermediate, untrusted root—and the session fails. An instant P1.

SSH Keys

The invisible privileged-access layer. No expiry enforcement, no central inventory—keys provisioned years ago by staff long gone remain silently active. An unrotated key is a standing backdoor.

HSM & Key Custody

Hardware security module architecture, root-key protection, backup-HSM recovery paths, and key-ceremony design—aligned to sensitivity tier and FIPS 140-2/3 obligations.

Static & Symmetric Crypto

TDE database keys, disk and backup encryption, KMS and Vault secrets, API and OAuth client secrets—managed in silos, rarely rotated, and usually outside any certificate-governance view.

Network Segmentation

Zone-and-conduit architecture, microsegmentation, and identity ringfencing. Segmentation is the network expression of the same question: who is allowed to reach whom, and can they prove it.

Machine & Non-Human Identity

Service principals, workload credentials, and the agentic and OAuth-driven identities now multiplying fastest. Issuance, scope, and lifecycle—architected, not improvised.

The Engagement Path: Assess First, Fix the Foundation, Then Deploy

A menu and a sequence—not a single fixed commitment. Each phase has independent value and its own go / no-go decision gate.

01

Assess — PKI Architecture Health Check

  • A discrete, time-boxed, fixed-fee entry point and the de-risking step
  • Certificate inventory, CA health, hygiene audit, and workload-mix risk
  • HSM posture, root-key protection, and CP/CPS currency reviewed
  • Output: findings, a prioritized roadmap, and an informed read on platform fit
02

Remediate — Redesign & Rebuild

  • The variable phase—scoped by what the assessment actually found
  • Light: hygiene fixes, separating commingled workloads, wildcards to SANs
  • Heavy: three-tier rebuild, offline root, HSM-anchored issuing CAs, runbooks
  • Output: a sound PKI ready to carry a CLM platform
03

Deploy — CLM Startup Wrap & Overwatch

  • The CLM vendor runs the startup service; we run the architecture around it
  • Architectural overlay, use-case mapping, and deployment course-correction
  • Delivered on retainer—the pace is set by the vendor’s schedule, not ours
  • Output: CLM deployed correctly on a sound foundation
04

Operate — Operationalization & Handoff

  • Where a tool deployment becomes a working program
  • The long-tail use cases the startup never reached
  • Integration to internal PKI, HSMs, and ITSM; program institutionalization
  • Output: a self-sustaining certificate program—not shelfware

From the Field

Why the Assessment Comes First

On a healthcare client’s CLM startup kickoff call, the AD CS database had grown to an untenable size before anyone outside the team running it had looked at it—a single database-backed authority serving both long-lived workload certificates and high-volume short-lived ephemeral issuance, compounding for years. The startup paused. PKI architectural intervention came first, because a certificate-management platform deployed on top of a failing authority multiplies cost rather than value—it would simply have driven more issuance through the same failing core. Teetering PKI turns up at every organization size, and a vendor kickoff call is one of the most common places it surfaces.

Where Startup-Only Engagements Can Stall

The platform stands up. The program never gets built.

Vendor Startup Covers
Cedrus Strategic Covers
Platform install and base configuration
Foundation First: PKI architecture review and remediation before the platform sits on it
A handful of representative use cases
The Long Tail: full use-case inventory and affinity grouping—where most certificates actually live
Connector / agent deployment, admin training
Integration: internal PKI, HSMs, and ITSM connected and finished, not left at handoff
Hand-off documentation for the platform
Key Governance: HSM and backup-HSM runbooks, CP/CPS authoring, root-rekey planning
One vendor’s platform
Platform-Agnostic: risk-tiered migration plans with rollback and a vendor-honest selection rationale
What Drives Scope

Complexity, not headcount

Engagements are sized during scoping by architectural complexity—not a fixed week count that large-organization projects never honor anyway. Budget the assessment firmly; budget the rest in ranges, after the assessment tells everyone what the program actually needs to be.

Internal PKI Health & Age

AD CS, EJBCA, or Vault PKI; database backend and size; last architecture review; recent operational issues.

Certificate Volume & Workload Mix

Count, growth trajectory, and whether long-lived workload and short-lived ephemeral certs share one CA.

HSM Posture

Current deployment, root-key protection, backup-HSM strategy, FIPS 140-2/3 obligations, planned refresh.

CA Hierarchy Complexity

Single, two-tier, multi-CA, cross-forest, split-horizon for OT or partner trust, recent M&A integration.

Regulatory & Audit Obligations

HIPAA, HITECH, PCI, SOX, NERC-CIP, FedRAMP, ISO 27001; audit cadence; CP/CPS currency.

Substrate Mix

IT, OT, cloud, and SaaS—each issues and consumes trust differently.

Delivery Model

  • Assessment fixed-fee; later phases project or monthly retainer
  • Architecture and program layers—above the tool-configuration layer
  • Implementation delivered through established partners
  • A decision gate between every phase—stop, pause, or hand off at any point

Platform-Agnostic

Architecture independent of any single vendor. Experience across Venafi/CyberArk, Keyfactor, Sectigo SCM, AppViewX, and DigiCert TLM at the CLM layer, and Thales at the HSM layer—selecting the right fit for your environment, not a preferred SKU.

Why This Is Urgent Now

Two external forcing functions are compressing the runway—and the first one has already started.

The pressure is converging:

  • Shrinking certificate lifespans. Under the CA/Browser Forum’s 2025 mandate, maximum public-TLS validity steps down from 398 days to roughly 200 in 2026, 100 in 2027, and 47 by 2029—and major CAs began issuing sub-200-day certificates in early 2026. At 47 days, an estate of 100 certificates means a renewal every business day. Manual management ends; automation depends on a sound authority underneath.
  • Post-quantum migration. NIST finalized its post-quantum standards (ML-KEM and ML-DSA) in August 2024. Crypto-agility is a present-tense architecture decision, not a future project—and “harvest now, decrypt later” means long-horizon data is already exposed.
  • Regulatory pressure. Healthcare and other regulated sectors increasingly expect demonstrable certificate governance and machine-identity discipline—the trust fabric is becoming an audit obligation, not just a best practice.

The validity mandate governs public TLS certificates directly—but the automation it forces only works on a PKI that can carry it. An organization that cannot inventory and rotate its certificates today cannot meet any of these deadlines. The architecture work is the prerequisite for all of them.

Start with an Assessment

Is your certificate authority quietly under load?

Database growth, issuance latency, an approaching CA or root expiry, an HSM refresh, or a CLM platform purchase in flight—any one is a reason to look at the foundation before it forces the timing for you. The assessment is the cheapest insurance in the program.

Get in Touch