Skip to main content
banner image
venafi logo

Exposed TLS Certificates Force PKI Lead to Quit: How Badly Managed PKI Poses Serious Risk [Case Study]

Exposed TLS Certificates Force PKI Lead to Quit: How Badly Managed PKI Poses Serious Risk [Case Study]

August 18, 2022 | Robyn Weisman

PKI is kind of like death and taxes. It’s something you neither want to think too much about nor can avoid. But most organizations have to contend with it in some form or another. And more than a few use Windows internal Certificate Authorities (CAs) to manage internal PKIs, even though they frequently need to be updated and treated as if they were glass animals.

But what do you do when the animals break, and the zookeeper up and leaves you?

Get Fast, Simple, SaaS-Based Private PKI With Venafi!
'I'm out of here' — PKI lead 

That’s the situation a healthcare company found themselves in when their PKI lead—who had already warned that constantly patching and updating these Windows PKIs was too much work for him to manage—stumbled on a group of TLS certificates with their matching private keys sitting exposed on a server.

Explained the company’s director of InfoSec:

The PKI lead basically said, “I’m out of here.” [It] was a wakeup call to us that our machine identity management program needed a complete overhaul. No one even knew how to quantify the security and availability risks, let alone how much money and time we were wasting.

The company ruled out hiring a replacement PKI admin because it would have been too pricey. And they couldn’t spend a year or so to refresh their current PKI, which was how long they would need to fix the problem on their own. Instead, they needed a solution that they could get up and running quickly and leverage automation to scale for multiple digital transformation initiatives.

The company’s primary CA pushed their branded solution to manage the internal PKI, but its user interface looked like something from the Y2K era. And putting aside the overwhelming number of steps needed to onboard anyone, it didn’t work natively with Active Directory, which meant deployment would take too long. “We were in a bad place, if I’m being honest,” the director admitted.

Venafi solution: Zero Touch PKI

Fortunately, Venafi, the company’s TLS machine identity solution provider, learned of their PKI emergency and suggested they check out Zero Touch PKI. This solution would enable the company to replace their Microsoft PKIs with a managed “PKI-as-a-Service” that would cost a fraction of what replacing those PKIs would cost. Even better, end users wouldn’t notice any change with a solution that was 100% compatible with Active Directory, Windows desktops and laptops, Microsoft Intune and more.

When Venafi told them the SLA (service-level-agreement) from purchase order to production was three weeks, the company decided to try it—although the director admitted it seemed “too good to be true.”

And yet it wasn’t. If anything, he felt that Venafi had undersold the benefits. The managed PKI solution was deployed on the company’s system in 19 days and delivered an immediate improvement in security while reducing all the complexity they used to have to contend with.

Said the director:

“Zero Touch PKI didn’t change anything in our current environment, except of course eliminate the cost, headaches and risk. The auto-enrollment proxy took a half hour to configure and prove out, and then Zero Touch PKI was issuing certificates easy-peasy. We eliminated enormous security risks and were immediately able to automate everything that used to be a pain.”

In addition, the solution provided instant scalability, no additional load balancers or servers needed, as well as reduced the overall risk of compromise, a constant worry in the old Microsoft PKI setup.

Want to learn more? Click here to read the case study. But before you go, here’s one more comment from the director of InfoSec:

“I feel like a huge weight has been lifted, and I can’t quite believe it. Zero Touch PKI did everything we needed almost instantly and then some!”

Related Posts


Like this blog? We think you will love this.
Featured Blog

Weak PKI Implementation is a Major Cyber Risk

No clear ownership is a problem How can an enterprise mai

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more