QCecuring - Enterprise Security Solutions

How Many Internal Certificates Does Your Company Actually Have?

Certificate Lifecycle Management 10 Jul, 2026 · 03 Mins read

Most teams think they manage hundreds of internal certificates. The real number is usually 3-5x higher. That gap is where risk hides.


How Many Internal Certificates Does Your Company Actually Have?

If your answer starts with “probably around…” — you have a visibility problem. And that problem is bigger than you think.


The Guess vs. The Reality

When we ask IT teams this question, the typical answer is somewhere between 200–500 certificates.

When we actually scan the environment, the real number is usually 1,500–5,000.

That’s not a rounding error. That’s a 3–5× gap between what teams think they manage and what actually exists.

What Teams EstimateWhat Discovery FindsThe Gap
200–500 certificates1,500–5,000 certificates3–5× undercount
”We know our important ones”60% were unknown to any teamOwnership: zero
”Auto-enrollment handles it”40% are manually issued or importedNo renewal process

The Certificate Visibility Gap

Typical enterprise: what's tracked vs. what actually exists

Tracking Coverage

Certificates Found by Source

⚠️ In the average mid-market enterprise, less than 15% of certificates have both ownership documentation and expiry monitoring.


Where Do the Extra Certificates Come From?

The gap exists because internal certificates get created from multiple sources — most of which don’t feed into a central inventory:

Auto-enrolled machine certificates — These exist on every domain-joined device. 1,000 devices = 1,000+ machine certs. Nobody counts these because “auto-enrollment handles it.”

Manually requested certificates — Engineers request certs for specific apps, services, or test environments through the CA web enrollment page or MMC. These live outside templates.

Self-signed certificates — Developers and DevOps teams generate self-signed certs for internal services, dev environments, and testing. Nobody tracks these.

Imported certificates — Certificates purchased from public CAs and imported to internal systems (load balancers, appliances, third-party integrations).

Service-specific certificates — Exchange, SCCM, SCOM, SQL Server, ADFS, WAP — each generates its own certificates during installation.

Forgotten infrastructure — Decommissioned servers still running with active certs. Lab environments. Legacy apps nobody wants to touch.


Why the Gap Matters

A certificate you don’t know about is a certificate you can’t manage. And a certificate you can’t manage will eventually expire — with no warning, no owner, and no documented remediation path.

Risk 1: Unmonitored expiry If it’s not in your tracking (spreadsheet, tool, or otherwise), nobody gets alerted when it expires. You find out from users.

Risk 2: No ownership Who’s responsible for renewing the certificate on that internal API? If the answer is “I don’t know” — that’s a future outage waiting.

Risk 3: Compliance gaps ISO 27001, PCI-DSS, and SOC 2 auditors increasingly ask: “Show me your certificate inventory.” If your inventory covers 30% of actual certificates, that’s a finding.

Risk 4: Crypto migration blockers Post-quantum migration requires knowing where current cryptographic assets are deployed. You can’t migrate RSA-2048 if you don’t know where it lives.


What a Real Certificate Inventory Looks Like

A useful inventory isn’t just a list of certificates. It maps:

Data PointWhy It Matters
Certificate subjectWhat is it for?
Issuing CAInternal? External? Self-signed?
Expiry dateWhen does it become a risk?
Key algorithm + sizeCrypto posture (RSA, ECC, key length)
Location (server/store)Where does it physically live?
Service bindingWhat depends on it?
OwnerWho fixes it when it breaks?
Template (if applicable)Is it auto-enrolled or manually managed?

Most teams have a partial view — they know about certs on their “important” servers. The other 60–70% lives in the shadows.


The Discovery Exercise

Here’s a quick way to sanity-check your certificate count:

Step 1: Query your CA database: certutil -view -out "Issued Common Name,Certificate Expiration Date,Certificate Template" csv > issued_certs.csv

Step 2: Count domain-joined devices (Active Directory): each one likely has 1–3 machine certificates.

Step 3: Check load balancers, reverse proxies, and network appliances — these are outside AD CS.

Step 4: Scan internal subnets for services presenting certificates on common ports (443, 8443, 636, 3389).

Step 5: Compare against whatever tracking exists today (spreadsheet, someone’s memory, nothing).

The delta between Step 5 and Steps 1–4 is your visibility gap.


What To Do About It

You need discovery before management. You can’t manage what you haven’t found.

  1. Run a certificate discovery scan across your internal network
  2. Query your CA database for everything ever issued (not just what’s “active”)
  3. Map certificates to services — which cert is bound to which application?
  4. Assign ownership — every certificate needs a team or person responsible
  5. Establish a tracking mechanism — spreadsheet (short-term) or CLM tool (long-term)
  6. Set up expiry monitoring — even a basic script that checks NotAfter dates weekly

Next Step

We run a certificate discovery assessment that answers exactly this question — how many certificates exist in your environment, where they live, and which ones are untracked.

If you’ve never done a full internal certificate discovery, let’s start there.

Stay Ahead on Crypto & PKI

Monthly insights on certificate management, post-quantum readiness, and enterprise security.

Subscribe Free

Related Insights

Certificate Lifecycle Management

The Real Cost of a Certificate Outage (It's Not Just Downtime)

Certificate outages cost $22K per incident when you factor in engineer hours, lost productivity, helpdesk surge, and compliance findings. See the full cost breakdown.

By Mani sri kumar

10 Jul, 2026 · 04 Mins read

Certificate Lifecycle ManagementEnterprise Security

Certificate Lifecycle Management

Why 'We'll Know When It Breaks' Is Not a Certificate Strategy

Reactive certificate management costs 10x more than proactive. Compare MTTD, MTTR, and total cost between firefighting and planned maintenance approaches.

By Mani sri kumar

10 Jul, 2026 · 05 Mins read

Certificate Lifecycle ManagementEnterprise Security

Certificate Lifecycle Management

47-Day Certificates Are Coming — Is Your Team Ready?

Google and Apple are pushing 47-day certificate lifespans. Manual processes will catastrophically fail. Here's what you need to automate now.

By Mani sri kumar

10 Jul, 2026 · 03 Mins read

Certificate Lifecycle ManagementPKI Automation

Ready to Secure Your Enterprise?

Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.

Stay ahead on cryptography & PKI

Get monthly insights on certificate management, post-quantum readiness, and enterprise security. No spam.

We respect your privacy. Unsubscribe anytime.