Reducing “Unknown Certificate” Risk at Scale: A Comparative Evaluation of TLS Certificate Discovery Architectures
Keywords:
certificate lifecycle management, auto-discovery, cloud security, infrastructure monitoring, cybersecurity riskAbstract
TLS/SSL certificates are a foundational trust primitive in modern digital infrastructures, yet certificate-related outages persist despite the widespread adoption of monitoring tools and enterprise certificate lifecycle management platforms. This paper addresses this puzzle by (1) classifying and analyzing existing certificate monitoring and management approaches to identify their systematic architectural limitations; (2) designing an alternative automated monitoring method that targets these gaps by rethinking certificate discovery; and (3) evaluating its effectiveness relative to conventional approaches using controlled cyber-threat modeling in a virtualized environment. We develop a human-error-aware simulation that applies identical, time-indexed infrastructure change events to multiple monitoring architectures across legacy and cloud scenarios, enabling direct comparison of inventory completeness, omission risk, and discovery latency. The results show that configuration-bound monitoring approaches degrade with infrastructure scale and dynamism, whereas an auto-discovery model grounded in L7 load balancer and front-end state maintains substantially higher visibility and lower omission rates, particularly in cloud environments. These findings suggest that reducing “unknown certificate” risk requires architectural innovation in discovery mechanisms rather than incremental improvements to configuration discipline, with important implications for organizational risk management and national cybersecurity resilience.
References
[1] Internet Security Research Group. “2025 ISRG Annual Report.” Internet: https://www.abetterinternet.org/documents/2025-ISRG-Annual-Report.pdf, 2025 [Dec. 21, 2025].
[2] Google. “HTTPS Encryption on the Web.” Internet: https://transparencyreport.google.com/https/overview?hl=en, 2025 [Dec. 21, 2025].
[3] CA/Browser Forum. “Ballot SC-081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods.” Internet: https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/, Apr. 11, 2025 [Dec. 21, 2025].
[4] CyberArk Software Ltd. “2025 State of Machine Identity Security Report.” Internet: https://www.cyberark.com/CyberArk-2025-state-of-machine-identity-security-report.pdf, May 5, 2025 [Dec. 21, 2025].
[5] Keyfactor, Inc. “2024 PKI and Digital Trust Report.” Internet: https://www.keyfactor.com/2024-pki-and-digital-trust-report/, 2024 [Dec. 21, 2025].
[6] A. Sun, J. Lin, W. Wang, Z. Liu, B. Li, S. Wen, Q. Wang, and F. Li. “Certificate Transparency Revisited: The Public Inspections on Third-party Monitors.” Network and Distributed System Security (NDSS) Symposium 2024. Internet: https://www.ndss-symposium.org/wp-content/uploads/2024-834-paper.pdf, 2024 [ Dec. 21, 2025].
[7] N. Kataria. “Impact of Certificates in Multi-Plane Architectures.” International Journal for Multidisciplinary Research, vol. 7, no. 5, pp. 1–12, Oct. 2025.
[8] N. Shaik. “Automated TLS Certificate Lifecycle Management: A Policy-Driven Framework for Kubernetes Security Hardening.” Global Journal of Engineering and Technology Advances, vol. 23, no. 01, pp. 250–257, 2025.
[9] Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. “Analysis of the HTTPS Certificate Ecosystem.” Proceedings of the Internet Measurement Conference (IMC), pp. 291–304, Oct. 2013.
[10] S. Klotz, A. Kopper, M. Westner, and S. Strahringer. “Causing Factors, Outcomes, and Governance of Shadow IT and Business-Managed IT: A Systematic Literature Review.” International Journal of Information Systems and Project Management, vol. 7, no. 1, pp. 15–43, 2019.
[11] J. Göppert, A. Walz, and A. Sikora. “A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments.” Journal of Sensor and Actuator Networks, vol. 13, no. 2, art. 26, 2024.
[12] P. S. Yadav. “Automation of Digital Certificate Lifecycle: Improving Efficiency and Security in IT Systems.” Journal of Mathematics & Computer Applications, vol. 2, no. 4, pp. 1–4, Oct. 2023.
[13] G. Thiyagarajan, V. Bist, and P. Nayak. “AI-Driven Configuration Drift Detection in Cloud Environments.” International Journal of Communication Networks and Information Security, vol. 16, no. 5, pp. 721–743, 2024.
[14] National Institute of Standards and Technology (NIST). Security and Privacy Controls for Information Systems and Organizations: NIST Special Publication 800-53 Revision 5. Gaithersburg, MD: NIST, 2020.
[15] Kumara, M. Garriga, A. U. Romeu, D. Di Nucci, F. Palomba, D. A. Tamburri, and W.-J. van den Heuvel. “The Do’s and Don’ts of Infrastructure Code: A Systematic Gray Literature Review.” Information and Software Technology, vol. 137, art. 106593, Sept. 2021.
[16] S. Kraemer, P. Carayon, and J. Clem. “Human and Organizational Factors in Computer and Information Security: Pathways to Vulnerabilities.” Computers & Security, vol. 28, no. 7, pp. 509–520, Oct. 2009.
[17] J. G. Proudfoot, W. A. Cram, and S. Madnick. “Weathering the Storm: Examining How Organisations Navigate the Sea of Cybersecurity Regulations.” European Journal of Information Systems, vol. 34, no. 3, pp. 436–459, 2025.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Vasilii Turuntaev
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who submit papers with this journal agree to the following terms.
