Metrics to prove progress

Cryptographic baseline documented: approved algorithms, key sizes, hash functions, and validity limits defined for roots, intermediates, and end-entity certificates, with a transition roadmap for algorithm deprecation.

Number of issuing CAs commissioned or connected to Trust Lifecycle Manager with documented purpose and owner (trend: increasing toward target state).

Revocation strategy defined: CRL and OCSP endpoints are identified for each connected CA, relying party reachability is confirmed, and revocation checking behavior is defined for each environment.

CA hierarchy documented and approved: target CA hierarchy diagram exists with roots, intermediates, use-case mapping, validity periods, key protection requirements, and revocation endpoints defined.

Core policy documents identified and approved for each production CA before it goes into production.

Active issuing CAs mapped to documented purposes, with distinct CAs where validity requirements, revocation requirements, algorithm choices, or compromise impact tolerances differ (target: 100% of issuing CAs have a documented purpose and owner).

Percent of CA keys stored in HSMs (target: 100% for root and issuing CAs).

CRL and OCSP infrastructure availability for all active issuing CAs (target: 100%).

Customer-hosted deployments: failover procedures documented and tested for all production issuing CAs.

CertCentral connector active in Trust Lifecycle Manager with verified credentials and a named owner.

For organizations with multiple public trust issuance teams: one dedicated CertCentral connector per issuance team.

Non-default ICA chain selections documented: for each CertCentral product type using a non-default chain, a record exists of the chain configured, the rationale, and who approved it.

Number of third-party CA connectors active in Trust Lifecycle Manager, each with a named owner and verified credentials (target: one connector per active CA account; no ownerless or stale connectors).

Root and intermediate certificates for third-party private CAs uploaded to Trust Lifecycle Manager; ensures accurate chain analysis and crypto hygiene checks (target: 100%).

Percent of active certificates using classical algorithms inventoried in Trust Lifecycle Manager with crypto hygiene data (baseline: 100% before PQC work begins).

Number of high-risk certificates identified for PQC migration prioritization (long-lived certificates, CA keys, certificates protecting sensitive workloads).

PQC pilot milestone: at least one PQC certificate type issued and tested in a non-production environment.