Home/Guides/PKI Mistakes/Planning
Back to PKI Mistakes

PKI Planning Mistakes

Decisions that seem fine until they're not

When pain hits: 6-12 months5 mistakes covered
PKI Planning Mistakes - Decisions that seem fine until they're not

1"We'll document it later"

What happens

Certificates get deployed ad-hoc. All the knowledge about where they're installed, what they're for, and where the private keys live exists only in one person's head. That person leaves.

Why it seems reasonable

"We'll circle back once things settle down."

The reality

Things never settle down. Everyone leaves their jobs eventually. They quit, get fired, or die.

Real-world consequence

Certificate expires. Alert goes to former employee's email. Nobody knows where the cert is installed or where the private key is. Production goes down while you reverse-engineer your own infrastructure.

The fix

  • Inventory from day one
  • Every certificate gets an owner
  • No certificate goes live without an inventory entry

Warning signs

  • "I think [person] knows about that one"
  • "It's on a server somewhere"

2"One wildcard to rule them all"

What happens

One wildcard certificate gets used everywhere. The private key gets copied to dozens of servers across dev, staging, and production environments.

Why it seems reasonable

"Convenient, saves money."

The reality

You're trading convenience for blast radius. One compromise means everything is compromised.

Real-world consequence

Developer commits the key to GitHub. Every subdomain is now compromised. Key rotation requires touching 47 servers. You spend days in incident response instead of hours.

The fix

  • Different certificates for different security boundaries
  • Ask "what if this key leaks?" for every certificate
  • Production never shares keys with dev/staging

Warning signs

  • Same serial number on prod and dev
  • "We copy the cert from the shared drive"
Learn more: Wildcard Certificate Dangers Demo

3"We don't need a multi-CA strategy"

What happens

Everything runs through a single Certificate Authority. When that CA gets distrusted by browsers, you need to replace every single certificate in your organization.

Why it seems reasonable

"DigiCert/Entrust is enterprise-grade. They're not going anywhere."

The reality

Entrust was enterprise-grade too. In 2024, Chrome announced it would distrust Entrust certificates. Hundreds of enterprises scrambled.

Real-world consequence

500 certificates to replace in 90 days. With a CA you've never worked with before. While maintaining production uptime. Your team works weekends for three months.

The fix

  • Relationship with at least two Certificate Authorities
  • Test issuing from your backup CA yearly
  • Know the process to switch before you need it

Warning signs

  • No CA evaluation in 3+ years
  • Nobody knows the backup CA portal login
  • "We've always used [CA name]"

4"Self-signed is fine for internal"

What happens

Internal services use self-signed certificates. Trust gets established by disabling certificate validation everywhere those services are called.

Why it seems reasonable

"It's internal. Nobody's attacking our internal network."

The reality

Internal doesn't mean safe. And when a self-signed cert gets compromised, there's no revocation path. You can't revoke what was never issued by a CA.

Real-world consequence

Internal service gets compromised. You can't revoke the self-signed certificate. Attacker can impersonate that service indefinitely until you hunt down every client and manually update trust.

The fix

  • Private CA for internal services (ADCS, step-ca, AWS Private CA)
  • Real certificates even for internal use
  • Proper revocation capability from day one

Warning signs

  • "Just click through the warning"
  • verify=False in production code
  • -k or --insecure in curl commands

5"We'll automate eventually"

What happens

Automation is planned but keeps getting delayed. Meanwhile, the manual process runs undocumented. The one person who knows how to do it eventually moves on.

Why it seems reasonable

"Big automation initiative next quarter."

The reality

Automation gets delayed. Next quarter becomes next year. Manual processes keep running with no documentation. The person who knows the process moves on.

Real-world consequence

Automation is still on the roadmap for "next year." The person who manually renewed certificates left six months ago. A certificate expires. Nobody knows the process.

The fix

  • Document manual processes even if automation is coming
  • Automate incrementally - don't wait for the "big initiative"
  • Start with monitoring and alerting, then automate renewal

Warning signs

  • Automation on the roadmap for 2+ years
  • Only one person knows how to renew certificates
  • "We'll document it when we automate it"

Key Takeaways

  • Every "temporary" decision becomes permanent if you don't document it
  • Convenience now equals pain later - plan for the failure scenario
  • Single points of failure apply to CAs, people, and processes
  • "Internal" doesn't mean "safe" - internal PKI needs real certificates too
  • Document today. Automate incrementally. Don't wait for the perfect solution.