Inventory of all certificates + owners
Demonstrate that the organization maintains a complete, accurate inventory of all deployed digital certificates with clearly assigned owners responsible for their lifecycle management.
Description
What this control does
This control requires the organization to maintain a comprehensive, current inventory of all digital certificates (TLS/SSL, code signing, client authentication, email encryption, etc.) deployed across the enterprise, including certificate metadata such as issuer, validity period, key length, and designated owner or responsible party. Each certificate entry must have an assigned owner accountable for renewal, revocation, and lifecycle management. This control prevents service outages from expired certificates, reduces the attack surface from orphaned or weak certificates, and ensures rapid response to compromised certificate authorities or cryptographic vulnerabilities.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate inventory of all deployed digital certificates with clearly assigned owners responsible for their lifecycle management.
Associated risks
Risks this control addresses
- Service outages and application failures due to untracked certificate expirations disrupting encrypted communications
- Unauthorized or rogue certificates remaining active after personnel changes because no owner is assigned to decommission them
- Inability to respond quickly to CA compromise or cryptographic vulnerability announcements affecting specific certificate issuers or algorithms
- Use of weak or deprecated cryptographic algorithms in untracked certificates creating exploitable vulnerabilities
- Compliance violations from failure to revoke certificates when systems are decommissioned or keys are compromised
- Prolonged exposure from compromised certificates that remain active because no owner is monitoring for indicators of misuse
- Shadow IT or unauthorized services operating with valid certificates that bypass security controls and monitoring
Testing procedure
How an auditor verifies this control
- Request the current certificate inventory documentation including all columns for certificate purpose, subject, issuer, expiration date, key algorithm, key length, deployment location, and assigned owner contact information.
- Select a representative sample of critical systems, external-facing web services, internal APIs, and VPN gateways across different business units for independent certificate discovery.
- Execute automated certificate discovery scans against the sampled systems using tools such as SSL Labs, nmap with ssl-enum-ciphers, or certificate transparency log queries to identify deployed certificates.
- Compare the discovered certificates from scanning against the certificate inventory to identify discrepancies, missing entries, or undocumented certificates.
- Select five to ten certificates from the inventory and verify the assigned owner is a valid, current employee or team with documented accountability for that certificate.
- Interview two to three certificate owners to confirm they are aware of their assigned certificates, understand renewal procedures, and know how to report compromise or request revocation.
- Review evidence that certificate owners receive automated alerts for certificates approaching expiration at least 60 and 30 days prior to expiry.
- Examine change management or incident records from the past 12 months to verify the inventory was referenced during certificate renewals, revocations, or cryptographic incident responses.
Where this control is tested