PKI Audit Preparation Checklist
PKI audits fail on documentation gaps, not cryptographic failures. Auditors want evidence that your CA hierarchy was designed intentionally, operated consistently, and can prove it. This checklist walks you through every category auditors examine — from CA configuration records to key ceremony logs — so you're not assembling evidence under pressure.
When to Use
- • Preparing for a scheduled internal or external PKI audit
- • Annual security review of certificate management practices
- • Pre-assessment before SOC 2, PCI DSS, or WebTrust examination
- • After a significant PKI infrastructure change (new CA, migration, etc.)
- • Onboarding a new compliance or security team member
Do NOT Use For
- • Active incident response (use Key Compromise Response Runbook)
- • Routine certificate renewal (use Certificate Renewal Runbook)
- • Single certificate troubleshooting (use Certificate Not Trusted Runbook)
Quick Reference (TL;DR)
- Verify CA hierarchy documentation is current and approved
- Ensure key ceremony records and HSM logs are accessible
- Confirm certificate inventory is complete and reconciled with discovery scans
- Gather compliance evidence artifacts at least 30 days before audit
- Most common audit finding: the key ceremony log exists but was never updated after the initial CA build
11. CA Hierarchy Documentation
Objective: Verify all CA hierarchy and governance documents exist, are current, and have proper approval chains
22. Key Ceremony Records
Objective: Prove that CA key generation followed a formal, witnessed, and documented ceremony process
⚠️ Most common audit finding: The key ceremony log exists but was never updated after the initial CA build. Check that dates, witness names, and HSM serial numbers actually match reality before an auditor does.
📺 Key Ceremony Best Practices — What Your Script Must Include
33. ADCS / CA Configuration
Objective: Verify CA infrastructure is properly configured, hardened, and documented
44. Revocation Infrastructure
Objective: Verify CRL and OCSP infrastructure is operational, accessible, and monitored
💡 Expired CRLs are an instant audit finding — check all CRL validity periods before the audit
💡 Test revocation end-to-end: revoke a test certificate and verify it appears in the next CRL
55. Certificate Inventory
Objective: Demonstrate complete visibility of all certificates across the organization
⚠️ ClientAuth heads-up: If your inventory turns up certificates with the Client Authentication EKU issued by a public CA, start planning your migration to private PKI now. Public CAs lose the ability to issue these on 📅 March 15, 2027.
📺 ClientAuth EKU Deadline Moved to 2027 — What It Means for Your Migration
66. Access Controls & Separation of Duties
Objective: Verify that PKI infrastructure has appropriate security controls, access restrictions, and duty separation
💡 Separation of duties is non-negotiable for WebTrust and SOC 2 — document your controls clearly
💡 Quarterly access reviews should be timestamped and signed off by a manager
77. Change Management
Objective: Demonstrate that PKI infrastructure changes follow a controlled, documented process
💡 Auditors expect a clear audit trail from change request to approval to implementation to verification
💡 Emergency changes should still be documented — retroactive documentation is acceptable if noted
88. Incident & Revocation History
Objective: Document all certificate-related incidents and revocation events during the audit period
💡 One expired production certificate during audit period is a finding; have a remediation note ready
💡 Previous audit findings with remediation evidence demonstrate continuous improvement
99. Compliance Alignment
Objective: Verify PKI practices align with applicable regulatory frameworks and industry standards
💡 Auditors increasingly ask about automation readiness as certificate lifetimes shrink
📺 ACME Protocol Explained — How TLS Automation Actually Works — relevant if automating renewals as part of audit remediation
📦 Need help building this documentation from scratch?
Compliance-in-a-Box includes pre-built templates for key ceremony scripts, certificate inventory tracking, CA change logs, and CPS documentation — everything on this checklist, ready to customize.
Learn More About Compliance-in-a-BoxTroubleshooting
Problem: Missing governance documents (CP/CPS)
Solution: Start with the RFC 3647 framework. Even a draft CP/CPS shows auditors you're working toward compliance. The Compliance-in-a-Box template can get you 80% there in a day.
Problem: Certificate inventory doesn't match discovery scan
Solution: Run a full discovery scan, reconcile every difference, and document the results. Common mismatches: dev/test certificates, cloud-managed certificates, and CDN/WAF edge certificates.
Problem: No key ceremony documentation for existing CAs
Solution: Document the current state: when were keys generated, who was present, what HSM was used. Create a formal ceremony script for the next key generation or renewal event.
Problem: Expired CRLs discovered during prep
Solution: Republish CRLs immediately. Investigate why the publishing schedule failed. Document the incident and remediation before the auditor arrives.
Escalation
Internal: Escalate to PKI team lead and CISO if evidence of unauthorized certificate issuance, HSM tamper events, or compromised private keys is discovered during audit preparation.
CA Support: Contact your CA account team if you discover certificates issued outside your approved process, or if you need historical issuance records for the audit period.
After Hours: If critical audit evidence gaps are found close to the audit date, engage PKI operations and compliance teams immediately to assess remediation timeline.