A Major Telecom Operator
A major telecom operator serving 45 million subscribers automated certificate lifecycle management across its 5G standalone core network, unifying multi-vendor network function certificate management and achieving 3GPP TS 33.501 security compliance across all network slices.
Certificate Management Challenges in a 5G Core Network
5G SBA certificate sprawl across service-based architecture
The operator's 5G standalone core deployed a service-based architecture (SBA) with over 4,200 TLS certificates securing communications between network functions — AMF, SMF, UPF, NRF, NSSF, PCF, UDM, and AUSF instances across 6 core sites and 40 edge locations. Each network function instance required its own certificate for mutual TLS authentication on the SBI (Service-Based Interface). The shift from 4G's point-to-point interfaces to 5G's mesh-like SBA topology had increased the certificate population by 8x compared to the legacy EPC, overwhelming the manual processes that had worked at 4G scale.
Multi-vendor certificate management complexity
The 5G core network used network functions from three different vendors — each with its own certificate management interfaces, supported CA integrations, and renewal procedures. The AMF and SMF came from one vendor, the UPF from another, and the NRF and NSSF from a third. Each vendor's management plane exposed different APIs for certificate deployment, and some required vendor-specific certificate formats. The network operations team maintained three separate certificate workflows with no unified view of certificate state across the multi-vendor environment.
3GPP TS 33.501 compliance requirements for network security
3GPP TS 33.501 mandated mutual TLS authentication between all 5G core network functions, certificate-based authentication for network slice isolation, and proper certificate lifecycle management including revocation capabilities. The operator's security team could not demonstrate compliance with these requirements across the multi-vendor environment — certificate inventory was incomplete, rotation was inconsistent, and there was no centralized revocation mechanism. Regulatory compliance deadlines from the national telecom authority required documented evidence of 3GPP security compliance within 6 months.
Automated 5G Certificate Lifecycle Management with QCecuring
Unified certificate discovery across multi-vendor 5G network functions
QCecuring discovered all TLS certificates across the operator's 5G core — scanning AMF, SMF, UPF, NRF, NSSF, PCF, UDM, and AUSF instances from all three vendors across 6 core sites and 40 edge locations. The platform integrated with each vendor's management plane APIs to build a complete certificate inventory, mapping certificates to specific network function instances, network slices, and SBI endpoints. For the first time, the network operations team had a single dashboard showing certificate state across the entire multi-vendor 5G core.
SSL/TLS Certificate Lifecycle ManagementAutomated renewal with vendor-aware deployment profiles
QCecuring's renewal workflows used vendor-specific deployment profiles that handled the differences in certificate formats, API interfaces, and deployment procedures across the three NF vendors. Automated renewal triggered 30 days before expiry, obtained certificates from the operator's enterprise CA, and deployed them to the correct network function instances using the appropriate vendor API. The platform coordinated renewals to avoid simultaneous certificate changes on dependent NF pairs (e.g., AMF-SMF), preventing mutual TLS handshake failures during rotation.
SSL/TLS Certificate Lifecycle ManagementNetwork slice certificate visibility and 3GPP compliance reporting
QCecuring provided per-network-slice certificate visibility, showing which certificates secured each slice's NF instances and SBI communications. The platform generated 3GPP TS 33.501 compliance reports documenting mutual TLS enforcement across all SBI interfaces, certificate lifecycle management practices, and revocation readiness. These reports provided the evidence the operator needed for regulatory compliance submissions to the national telecom authority.
SSL/TLS Certificate Lifecycle ManagementMeasurable Impact on Network Operations and Compliance
92% fewer certificate incidents
Automated certificate lifecycle management reduced certificate-related service incidents from an average of 12 per quarter to fewer than 1 per quarter. The remaining incidents were traced to edge cases in vendor firmware updates that were subsequently addressed through updated deployment profiles.
3GPP compliance in 4 months
The operator achieved documented compliance with 3GPP TS 33.501 certificate management requirements across its entire 5G core network within 4 months of QCecuring deployment — 2 months ahead of the regulatory deadline. Compliance evidence was submitted to the national telecom authority and accepted without additional findings.
Renewal: 45 min to 3 min per NF
Vendor-aware automated renewal reduced the average certificate renewal cycle from 45 minutes of manual effort per network function instance (including vendor-specific procedures and verification) to approximately 3 minutes of automated processing, freeing the network operations team to focus on capacity planning and service optimization.
Moving to 5G standalone multiplied our certificate management challenge by an order of magnitude. Three vendors, thousands of network function instances, and mutual TLS everywhere — manual processes simply could not keep up. QCecuring unified our multi-vendor certificate operations into a single platform and gave us the compliance evidence our regulator required. Certificate management is no longer a bottleneck for our 5G rollout.
Related Products & Industry
More Customer Success Stories
A National Energy Utility
A national energy utility serving 4.2 million customers automated certificate lifecycle management across its SCADA infrastructure and 180 substations, closing NERC CIP audit findings, eliminating certificate-related grid monitoring outages, and achieving unified IT/OT certificate visibility for the first time.
Read case studyA Global Banking Institution
A global banking institution with operations across 12 countries automated certificate lifecycle management for its payment gateway infrastructure, eliminating certificate-related outages and reducing PCI DSS audit preparation time from weeks to hours.
Read case studyA Leading Healthcare System
A leading healthcare system operating 14 hospitals and 200+ outpatient clinics automated certificate lifecycle management across its Epic and Cerner EHR environments, eliminating certificate-related clinical system downtime and reducing HIPAA audit preparation from weeks to hours.
Read case studyFrequently Asked Questions
How does QCecuring integrate with different 5G network function vendors? +
QCecuring uses vendor-specific deployment profiles that integrate with each vendor's management plane APIs for certificate discovery and deployment. The platform supports REST APIs, NETCONF/YANG, and vendor-proprietary interfaces. Each profile handles the vendor's specific certificate format requirements, deployment procedures, and validation steps, providing a unified management experience across the multi-vendor environment.
Can QCecuring manage certificates at the network slice level? +
Yes. QCecuring maps certificates to specific network slices, showing which NF instances and SBI endpoints are secured by which certificates within each slice. This per-slice visibility enables the operator to enforce slice-specific certificate policies — for example, shorter validity periods for enterprise slices with stricter security requirements — and generate compliance reports on a per-slice basis.
How does the platform prevent service disruption during certificate rotation? +
QCecuring coordinates certificate renewals to avoid simultaneous changes on dependent network function pairs. For example, when renewing certificates on an AMF instance, the platform ensures the corresponding SMF certificates are not being rotated at the same time, preventing mutual TLS handshake failures. Renewals are staged with pre-validation and automatic rollback capabilities if the new certificate fails verification on the target NF.
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.