That’s a fair question, and in theory, yes, you could manually track internal certs based on issue date.
But in practice, large or long-running environments rarely have clean cert inventories. You get:
- Internal CA sprawl (and no single source of truth)
Certs embedded in keystores, containers, or staging systems that nobody owns anymore
- “Temporary” certs that live on for years
- People leaving without handing off cert responsibilities
We’re not automating monitoring because it’s hard, we’re doing it because teams forget.
And forgetting is what causes outages, broken mTLS, and failed compliance audits, even in air-gapped setups. I have a few horror story on PCI environments.
Automation helps catch the edge cases before they become fire drills.
But in practice, large or long-running environments rarely have clean cert inventories. You get:
- Internal CA sprawl (and no single source of truth)
Certs embedded in keystores, containers, or staging systems that nobody owns anymore
- “Temporary” certs that live on for years - People leaving without handing off cert responsibilities
We’re not automating monitoring because it’s hard, we’re doing it because teams forget.
And forgetting is what causes outages, broken mTLS, and failed compliance audits, even in air-gapped setups. I have a few horror story on PCI environments.
Automation helps catch the edge cases before they become fire drills.