Every organization has certificates it does not know about. These shadow certificates create blind spots that undermine security, compliance, and operational reliability. Gaining full visibility is the first step toward regaining control.
A shadow certificate is any digital certificate that exists in your environment but is not tracked, managed, or even known by the teams responsible for security and infrastructure. It is the certificate equivalent of shadow IT: something deployed outside the boundaries of official processes and oversight.
Shadow certificates are not inherently malicious. In most cases, they are created by well-intentioned developers, cloud engineers, or business units who need a certificate quickly and obtain one without going through the organization's formal request process. The problem is not intent; it is invisibility. When a certificate is invisible to your security and operations teams, it cannot be monitored for expiration, validated against policy, or rotated when a vulnerability is discovered.
Research consistently shows that organizations underestimate their certificate count by 40% to 70%. That gap, the difference between certificates you know about and certificates that actually exist, is your visibility gap. Closing it is one of the most impactful things a security team can do, because you cannot protect, renew, or govern what you cannot see.
Shadow certificates do not appear overnight from a single cause. They accumulate over time through multiple channels, each perfectly rational in isolation but collectively creating a sprawl that is difficult to manage.
Developers frequently provision certificates on their own using tools like Let's Encrypt, certbot, or cloud provider dashboards. They need HTTPS for a staging environment, a test API, or a microservice endpoint, and they obtain a certificate in minutes without filing a ticket. These certificates work perfectly but remain invisible to centralized management.
Cloud platforms like AWS, Azure, and GCP can automatically provision and attach certificates to load balancers, CDNs, and API gateways. When infrastructure is deployed through Terraform, Pulumi, or other IaC tools, certificates are often created as side effects of resource provisioning. Unless the CLM team monitors cloud provider APIs, these certificates remain unknown.
Many SaaS products allow customers to configure custom domains with TLS certificates. Marketing teams set up branded landing pages, support teams deploy custom help center domains, and partner teams create co-branded portals. Each of these may involve a certificate that the security team has never seen.
When organizations acquire another company, they inherit its entire certificate estate. The acquired company may have used different CAs, different naming conventions, and different (or no) lifecycle management practices. Integrating these certificates into a unified inventory is a major undertaking that often takes months or years, leaving a large blind spot in the meantime.
Shadow certificates are not just an organizational inconvenience. They introduce real, measurable risk across three critical dimensions.
A certificate you do not know about is a certificate you cannot secure. Shadow certificates may use weak key algorithms, be issued by untrusted or compromised CAs, or have overly broad wildcard scopes. If a private key associated with a shadow certificate is compromised, the security team cannot respond because they do not even know the certificate exists. Attackers actively look for these unmonitored endpoints.
Regulations like NIS2, DORA, PCI DSS, and industry frameworks such as ISO 27001 require organizations to maintain an inventory of cryptographic assets and demonstrate that certificates conform to defined policies. Shadow certificates fall outside this inventory by definition. During an audit, the inability to account for all certificates in your environment is a finding that can lead to penalties, remediation mandates, or loss of certification.
This is the most common and most visible consequence. A shadow certificate expires, and the service it protects goes down. Because no one was monitoring the certificate, no renewal was triggered. The resulting outage can take hours to diagnose, precisely because the certificate was unknown in the first place. Teams waste time troubleshooting application code or network infrastructure before discovering the root cause is an expired certificate no one knew existed.
Before you can close the gap, you need to measure it. The visibility gap is the difference between the certificates your organization knows about (those in spreadsheets, CMDBs, or a CLM platform) and the certificates that actually exist across your infrastructure.
Use network scanning tools to probe your IP ranges and discover all TLS endpoints. Compare what you find to your existing inventory. The difference is your visibility gap. Most organizations are surprised by how large it is.
Certificate Transparency (CT) logs are public, append-only records of every certificate issued by participating CAs. Querying CT logs for your domains reveals certificates you may not have known about, including those issued by CAs you did not authorize.
Examine certificate inventories in AWS Certificate Manager, Azure Key Vault, GCP Certificate Manager, and any other cloud services your teams use. Cross-reference these with your central inventory to find certificates that were provisioned outside normal channels.
Sometimes the most effective discovery method is simply asking. Development and DevOps teams often know exactly which certificates they have provisioned informally. A brief questionnaire or interview can surface dozens of previously unknown certificates.
Eliminating shadow certificates entirely is unrealistic. The goal is to build systems and processes that make shadow certificates visible as soon as they appear and bring them into managed lifecycle workflows. Here are the key strategies.
A one-time scan is not enough. Deploy continuous discovery that automatically scans your networks, cloud environments, and endpoints on a regular schedule. New certificates should be detected within hours or days of issuance, not months later when they expire and cause an outage.
Define clear certificate policies that specify approved key algorithms, minimum key sizes, maximum validity periods, and required naming conventions. Then enforce these policies automatically. When a newly discovered certificate violates policy, the system should flag it and notify the responsible team.
Maintain a list of approved Certificate Authorities and make it easy for teams to request certificates from them. If obtaining a certificate from an approved CA is as fast and convenient as using an unapproved source, teams will naturally gravitate toward the approved path. Pair this with CT log monitoring to detect certificates issued by CAs outside your approved list.
Shadow certificates often appear because developers do not realize there is a proper process, or they find the existing process too slow. Address both sides: educate teams on the risks of unmanaged certificates, and streamline the official request process so it takes minutes, not days. Self-service portals with automated approval workflows are highly effective at reducing shadow certificate creation.
Continuous multi-source discovery: Evertrust CLM discovers certificates across your networks, cloud providers, endpoints, and CT logs. Scans run continuously so new certificates are detected within hours, not months.
Unified inventory: Every discovered certificate is automatically added to a centralized inventory with full metadata, ownership attribution, and expiration tracking. No more spreadsheets, no more surprises.
Policy violation alerts: Define your organizational policies once, and Evertrust automatically flags any certificate (new or existing) that violates them. Weak keys, unauthorized CAs, and non-compliant configurations are surfaced immediately.
Self-service with guardrails: Give developers a fast, approved path to obtain certificates through self-service portals backed by Evertrust PKI. Requests are fulfilled in seconds with built-in policy enforcement, removing the incentive to go outside official channels.
