Skip to main content

About this pillar

Trust Architecture Playbook: Baseline pillar

Executive summary

One of the most common reasons enterprise certificate management programs falter is that they treat discovery and inventory as if they are the same thing. They are not.

Certificates are (re)issued, renewed, moved, duplicated, and abandoned, new services come online, ownership changes, and shadow PKI emerges whenever governed processes don’t keep pace. Discovery surfaces that activity continuously through platform connectors, network and cloud scans, host-level scans, and Certificate Transparency monitoring.

Inventory is discovery combined with context: confirmed ownership, installation locations, environment, business relevance, and dependency mappings among others. Discovery says that a certificate exists, inventory tells you who owns it, where it lives, what it supports, and whether it is ready to be governed and automated.

That is important because it is inventory, not discovery, that every downstream capability depends on. If the inventory isn’t correct, policy enforcement will be inconsistent, automation ends up fragile, and certificate-related outages will continue to be reactive events, instead of governed process failures.

This focus of this pillar is on helping organizations move from raw certificate visibility to a trusted, continuously maintained inventory baseline that can support governance, automation, resilience, and long-term trust lifecycle management.

Intended audience

  • PKI teams

  • Application/service owners

  • Governance/compliance stakeholders

Target outcomes

A mature discovery program produces four outcomes that directly reduce risk and set the stage for automation. The Baseline pillar targets these outcomes:

  • No unknown certificates: Implement multi-source discovery with ownership assignments to remove blind spots and shadow TLS, creating a complete and defensible inventory.

  • Mis-issuance detection: Use Certificate Transparency (CT) monitoring and domain-based reconciliation to surface unexpected public-trust issuance before it becomes a liability.

  • Crypto hygiene baseline: Measure key sizes, signature algorithms, and related policies so vulnerabilities are remediated proactively, not surfaced by an audit or incident.

  • Automation readiness: Map certificates to owners, platforms, and deployment locations so you can sequence automation by platform and business priority with confidence.

Importante

Key takeaway

Discovery is not a one-time exercise, it is an ongoing control with defined scope, repeatable scans, and continuous reconciliation across sources.

Quick start checklist (first 30 days)

The goal in the first 30 days is to establish a working foundation with enough coverage to surface real risk quickly. These six steps get you there:

  • Deploy sensors and agents: Deploy at least one DigiCert sensor, plus agents where host-level visibility is needed for targeted system scanning/discovery.

  • Onboard high-fidelity connectors first: Start with issuing CAs, load balancers, cloud certificate services, vaults, and existing vulnerability management/scanning solutions. These are authoritative sources and will anchor the inventory.

  • Run focused network and cloud scans: Initial network scans should be high-value subnets; run cloud scans to establish your external perimeter baseline.

  • Enable CT Log Monitoring: Turn on Certificate Transparency (CT) logs monitoring for all primary domains and define a triage workflow for new findings.

  • Define ownership and tagging standards: Establish a minimal mandatory tag set and ownership model (tag taxonomy, service/app ownership, etc.). Apply to newly discovered assets from the start.

  • Stand up a weekly reporting cadence: At a minimum, establish weekly tracking cadence for:

    • Missing owner

    • Missing mandatory tags

    • Expiring soon

    • New CT discoveries

    • Weak crypto

What this pillar doesn't cover

The following topics are out of scope and covered elsewhere in the DigiCert documentation or Trust Architecture Playbook:

  • Certificate issuance policy and profile design.

  • End-to-end automation patterns for renewal and deployment.

  • Incident response runbooks and compliance evidence packaging.

Nesta secção: