MediumChecklist

PKI Compliance Checklist

Comprehensive checklist for organizations to assess and maintain PKI compliance posture. Covers certificate inventory, key management, algorithm requirements, automation readiness, and regulatory awareness. Designed for quarterly reviews.

1-2 hours (initial), 30 min (quarterly)

Last Updated: December 2025

Progress: 0/86 complete0%

When to Use

• Quarterly PKI compliance review
• Preparing for security audit
• Assessing organizational PKI maturity
• After a certificate-related incident

Do NOT Use For

• Emergency certificate replacement (use Emergency Runbook)
• Single certificate installation (use platform-specific checklist)

Quick Reference (TL;DR)

Maintain complete certificate inventory across all environments
Automate expiration monitoring and renewal
Use strong algorithms (RSA 2048+, SHA-256+, no SHA-1)
Plan for 47-day certificate validity by 2029

1Certificate Inventory

Objective: Maintain complete visibility of all certificates in your organization

Complete inventory of all certificates exists and is accessible

Inventory includes: Issuing CA, expiration date, key size/algorithm

Inventory includes: Hostnames/SANs, deployment location(s), certificate owner

Inventory covers ALL environments (production, staging, dev, DR, test)

Inventory includes non-TLS certificates (code signing, S/MIME, client auth)

Process exists to discover unknown/rogue certificates

Inventory is updated whenever certificates are issued, renewed, or revoked

💡 Certificate Transparency logs (crt.sh) can help discover certificates issued for your domains

💡 Consider CLM tools like Venafi, Keyfactor, or DigiCert for automated discovery

3Algorithm & Key Requirements

Objective: Ensure all certificates use secure, modern cryptography

All RSA keys are 2048-bit minimum

RSA 4096-bit used for high-value certificates (recommended)

ECC keys use P-256 or P-384 curves

All certificates use SHA-256 or stronger hash algorithm

No SHA-1 certificates in use (deprecated since 2017)

No 1024-bit RSA keys in use (insecure)

No MD5 signatures in use

Aware of post-quantum cryptography timeline

Monitoring NIST post-quantum standards development

💡 ECC P-256 provides equivalent security to RSA 3072 with better performance

💡 Post-quantum algorithms (ML-KEM, ML-DSA) are being standardized by NIST for 2024+

4Certificate Validity Periods

Objective: Stay ahead of shrinking certificate lifetimes

All public TLS certificates are ≤ 398 days

Aware of upcoming 90-day maximum (March 2026)

Aware of upcoming 47-day maximum (March 2029)

Automation planning in progress for shorter lifetimes

Internal certificate validity follows organizational policy

Code signing certificates follow CA/Browser Forum requirements

💡 March 2026: Maximum 200-day validity takes effect

💡 September 2026: Maximum 100-day validity takes effect

💡 March 2029: Maximum 47-day validity takes effect

7Certificate Transparency

Objective: Leverage CT for visibility and security

Understand Certificate Transparency (CT) requirements

All public TLS certificates are logged to CT (automatic with public CAs)

Monitoring CT logs for unauthorized certificates (recommended)

Process exists to respond to rogue certificate discovery

Aware of CT log requirements for EV certificates

8Revocation Readiness

Objective: Be prepared to revoke certificates quickly when needed

Know how to request revocation from each CA you use

Emergency revocation contacts documented (24/7 if needed)

Understand 24-hour revocation requirement for key compromise

Understand 5-day revocation for other reasons

Key compromise response procedure documented

If internal CA: CRL publishing is operational

If internal CA: OCSP responder is operational (if used)

Revocation process has been tested

9Automation & Certificate Agility

Objective: Be ready to replace all certificates quickly

Certificate deployment is automated where possible

ACME protocol (Let's Encrypt) used for appropriate use cases

Can replace ALL certificates within 30 days if required

Certificate replacement procedure has been tested

CLM tool evaluated or in use (Venafi, Keyfactor, DigiCert, Sectigo)

Integration with CI/CD pipelines where applicable

Kubernetes cert-manager or equivalent for container environments

10Documentation & Training

Objective: Ensure knowledge is captured and shared

Certificate request process is documented

Certificate installation procedures documented per platform

Team members trained on certificate basics

Incident response plan includes certificate compromise scenario

Post-incident reviews capture lessons learned

Documentation reviewed and updated annually

11Regulatory & Compliance Tracking

Objective: Stay informed of industry requirements and deadlines

Subscribed to CA/Browser Forum updates

Monitoring Chrome Security Blog

Monitoring Mozilla Security Blog

Monitoring Apple Security Updates

Aware of PCI DSS requirements (if processing payments)

Aware of HIPAA requirements (if handling health data)

Aware of FedRAMP requirements (if federal government)

Regular compliance review scheduled (quarterly recommended)

Related Resources

📖 Compliance Hub (Deadline Tracking)🎬 Certificate Lifecycle Demo ✅ CA Migration Runbook ✅ Key Compromise Response Runbook 📖 Crypto Agility vs Certificate Agility 📖 PKI Disasters Hall of Fame

← Back to Checklists Library