What is the difference between certificate management and TLS monitoring?

TLS monitoring is a component of certificate management. Full certificate lifecycle management covers discovery, issuance, monitoring, alerting, renewal automation, and compliance reporting. TLS monitoring specifically handles the ongoing scanning and alerting part of that lifecycle.

Why does certificate lifecycle management matter now?

The CA/Browser Forum has voted to reduce TLS certificate lifetimes to 47 days by 2029. This means an 8x increase in renewal frequency. For organisations with hundreds or thousands of certificates, manual lifecycle management is no longer viable — automation is the only scalable approach.

What Is Certificate Lifecycle Management? A Plain-Language Guide

Certificate lifecycle management (CLM) is the end-to-end process of managing TLS/SSL certificates — from initial discovery and issuance, through ongoing monitoring and renewal, to eventual revocation or replacement. It is a category of software and practice that has moved from "enterprise-only" to "necessary for any organisation that runs HTTPS" as certificate complexity and regulatory requirements have grown.

This guide explains what certificate lifecycle management covers, why it matters more now than it did five years ago, and what to look for when evaluating CLM software.

The five stages of the certificate lifecycle

Stage 1: Discovery

Before you can manage certificates, you need to know they exist. Discovery is the process of finding all TLS certificates in use across your infrastructure — internet-facing services, internal systems, cloud environments, and supplier-managed systems that run on your domains.

Most organisations discover they have significantly more certificates than they thought. Certificate Transparency logs, active scanning, and on-premise agents for internal networks are the three primary discovery mechanisms.

Stage 2: Issuance and inventory

Issuance covers requesting, approving, and installing certificates. For public TLS certificates, this typically involves a Certificate Authority (CA) process — automated via ACME for Let's Encrypt and compatible CAs, or manual for extended validation or internal CA certificates.

Inventory is the ongoing record of what exists: domains, expiry dates, issuing CA, responsible owner, and which systems the certificate protects.

Stage 3: Monitoring

Monitoring is continuous automated scanning for problems — not just expiry dates, but cipher suite weaknesses, chain errors, OCSP revocation status, protocol version issues, and anomalies in Certificate Transparency logs (new certificates issued to your domains that you did not request).

Stage 4: Renewal

Renewal is the process of replacing a certificate before it expires. In a manual workflow, this means someone receives an alert, requests a new certificate, gets approval, installs it, and verifies it. In an automated workflow using ACME, this happens without human intervention.

With CA/Browser Forum decisions reducing TLS certificate lifetimes to 47 days by 2029, renewal automation is no longer optional — an organisation with 1,000 certificates faces 8,000 renewals per year at that cadence.

Stage 5: Revocation

Certificates can be revoked before they expire — if the private key is compromised, if a server is decommissioned, or if a certificate was issued incorrectly. CLM software tracks revocation status via OCSP and flags revoked certificates that are still in use.

What CLM software automates

The value of CLM software is not just visibility — it is automating the work that otherwise falls on humans. Concretely, this means:

Discovering new certificates automatically (via CT logs and active scanning) without manual addition
Sending expiry alerts to the right people at the right time — not a shared inbox that nobody watches
Grading TLS configurations automatically and flagging regressions
Renewing certificates via ACME without human involvement
Generating compliance documentation that proves continuous management — not a snapshot

Manual certificate management vs. CLM software: where it breaks down

Teams that use spreadsheets and calendar reminders do not fail because they are careless. They fail because the manual approach has structural weaknesses:

The unknown certificate problem: A spreadsheet only contains certificates someone knew about and remembered to add. Supplier certificates, cloud certificates, internal certificates provisioned by other teams — these accumulate outside the tracked inventory.

The stale inventory problem: A spreadsheet is accurate the moment it is saved, and increasingly inaccurate thereafter. Certificates are added, removed, and renewed constantly.

The accountability gap: A calendar reminder is owned by one person. When that person changes roles or leaves, the reminder disappears. CLM software assigns ownership at the system level, not the individual level.

The scale problem: Manual management breaks at some certificate count that differs per organisation — but 47-day certificates make the breaking point irrelevant. At 47-day lifetimes, automation is the only viable approach regardless of scale.

What to look for in CLM software

A buyer's checklist for certificate lifecycle management software:

Automated discovery via CT logs, active scanning, and on-premise agent for internal networks
Monitoring beyond expiry dates: cipher suites, protocol versions, chain health, OCSP
Alerts to named recipients with configurable thresholds — not just shared inboxes
ACME/Let's Encrypt integration for automated renewal
Compliance reporting (NIS2, ISO 27001) with audit-log history
EU hosting if your organisation is subject to GDPR
Dedicated instance per customer (not shared multi-tenant infrastructure)

Certificate lifecycle management and NIS2

NIS2 Directive Article 21 requires documented risk analysis and controls for information systems — explicitly including TLS/PKI infrastructure. CLM software is not just operationally useful under NIS2; it is the foundation of the documentation that supervisory authorities expect. A continuous audit log proving months of systematic management is far more defensible than a spreadsheet created before an inspection.

How CertControl covers the full certificate lifecycle

The buyer's checklist above describes what good CLM software does. CertControl is built to meet each of those requirements:

Automated discovery via CT logs, active scanning, and on-premise agent. Certificate Transparency log querying finds every publicly trusted certificate issued for your domains. Active scanning discovers what is live. The on-premise agent reaches internal certificates behind the firewall — AD servers, intranets, CI/CD pipelines — that external scanning cannot see.
Monitoring beyond expiry: cipher suites, protocol versions, chain health, OCSP, security headers. Each endpoint gets a TLS grade based on seven cipher probe categories, protocol version support, HSTS and CSP presence, chain completeness, and OCSP stapling. Expiry is one signal among many.
ACME / Let's Encrypt integration for automated renewal. CertControl handles HTTP-01 and DNS-01 challenges, renewing certificates automatically. Private keys are encrypted at rest with AES-256-GCM. Failed renewal automations surface as alerts with enough lead time to intervene manually.
NIS2 and ISO 27001 compliance reports with audit-log history. Executive summaries, operational risk reports, expiry forecasts, and TLS drift reports are generated continuously — not assembled on request. The audit log proves monitoring was running throughout the year, not just before the inspection.
EU-hosted, dedicated instance per customer. Each CertControl customer gets their own isolated instance — no shared infrastructure, no multi-tenant data commingling. Relevant for GDPR and data residency requirements.

Related resources

Certificate lifecycle management — the platform → TLS certificate monitoring → How to build a TLS certificate inventory → NIS2 and certificate management →

See the platform Start free trial