Why do most CLM projects fail?
Expired certificates without alerts
A single undetected expiration is enough to cripple your infrastructure. Production incidents related to certificates cost millions.
Manual management is impossible at this scale
Thousands of TLS, SSL, and SSH certificates managed in spreadsheets. No visibility, no traceability, and constant risk.
Unmanaged machine identities
SSH keys, tokens, and application secrets are all potential attack vectors that remain hidden if no one tracks and monitors them.
Inventory & Overview of Certificates
Take back control of your certificates to reduce the risk of expiration, service interruptions, and non-compliance.
-
Automated discovery of certificates on servers, applications, network devices, cloud services, and internal platforms
-
Centralized inventory including owner, purpose, issuing authority, and expiration date
-
Identification of unknown, expired, misconfigured, self-signed, or non-compliant certificates
-
Prioritization of risks associated with critical certificates that are exposed or used by sensitive services
Automated renewal
Automate certificate renewal to reduce manual tasks and service interruptions.
-
Automated processes for requesting, validating, issuing, renewing, and revoking certificates
-
Reducing risks associated with unexpected system failures, human error, and operational dependencies
-
Approval workflows tailored to criticality levels, application owners, and business constraints
-
Streamlining the certificate lifecycle for seamless, traceable, and secure management
PKI Infrastructure Management
Design, secure, modernize, and manage your PKI infrastructure, whether on-premises or hybrid.
-
Analysis of the existing PKI architecture, certificate authorities, issuance policies, and related practices
-
Design or enhancement of robust, resilient PKI architectures aligned with business and security needs
-
Securing certificate authorities, keys, certificate templates, and administrative processes
-
Support for the operation, documentation, and operational governance of the PKI infrastructure
Machine Identity Governance
Gain better control over the machine identities used by your applications, services, APIs, workloads, containers, and cloud environments.
-
Mapping of machine identities and certificates associated with the company's critical services
-
Governance rules: ownership, validity period, issuance policies, revocation, and renewal
-
Reducing risks associated with unmanaged certificates, orphaned machine identities, or undocumented uses
-
Aligning machine identity governance with IAM, PAM, DevOps, cloud, and application security practices
DevOps & CI/CD Integration
Integrate certificate and machine identity management into DevOps workflows to secure deployments without slowing down teams.
-
Integration of CLM/PKI solutions with CI/CD pipelines, DevOps platforms, secret management tools, and cloud environments
-
Automation of certificate issuance and renewal for applications, APIs, microservices, and containers
-
Security checks integrated into the build, deployment, and production processes
-
Reducing friction between security, infrastructure, and development through standardized and automated workflows
CLM Compliance & Audit
Demonstrate your mastery of certificates, machine identities, and PKI infrastructure to security, compliance, and audit teams.
-
Reports on certificate status, expirations, anomalies, issuing authorities, and compliance discrepancies
-
Dashboards for monitoring risks, renewals, and corrective actions
-
Alignment of CLM/PKI practices with internal policies, regulatory requirements, and security standards
-
Preparation of audit evidence related to the management of certificates, keys, certification authorities, and machine identities
What we do today
28
Years of experience
+100
Active certifications
Our numbers speak for themselves
76
Projects launched in 2025
17
Country
cutlery
+40
IAM/PAM/IGA Certified Experts
Our technology partners
Use cases
0
EXPIRATION INCIDENT SINCE THE MEP
-70 %
MANUAL TIME MANAGEMENT
100%
CERTIFICATES WITH IDENTIFIED OWNER
RESULTS ACHIEVED
• Zero incidents of undetected expiration since the solution went live
• 100% of certificates with an identified owner and an associated renewal policy
• 70% of the time spent on manual certificate management eliminated through ACME automation
• Complete visibility across the entire fleet from a centralized dashboard
• A documented and auditable process that complies with PCI-DSS and ISO 27001 requirements
IDENT1TY APPROACH
• Deployment of an automated discovery scanner across the entire infrastructure to build a comprehensive inventory
• Assigning a technical owner to each certificate and updating the CMDB
• Implementation of the ACME protocol to automate renewals without manual intervention
• Creation of dashboards with proactive alerts 90, 60, and 30 days before expiration
• Training of operations teams and documentation of CLM governance processes
CLM · Insurance — National Mutual Insurance Company
Streamlining the certificate lifecycle
Automated discovery, ACME automation, and elimination of certificate expiration issues across a fleet of 5,000 certificates.
4,000 employees · 5,000 certificates
CLM · CMDB · SIEM · ACME
8 months
• No consolidated view of certificates; incident-based management only
• Coexistence of multiple internal and public authorities without a harmonized policy
• Nearly 25% of certificates in the CMDB have no identified owner
• Gradual reduction in validity periods, making manual processes unsustainable
POINTS OF FRICTION
BACKGROUND & ISSUES
The insurer had experienced several major production incidents related to undetected certificate expirations, one of which caused the member portal to be partially unavailable for several hours.
The analysis had revealed the lack of a reliable inventory, with certificates issued by different teams, and no clear governance or designated owner.
Another case, another challenge.
200K
DEVICES UNDER A DEDICATED PKI
10 years
DOCUMENTED GOVERNANCE PATH
IEC62443
COMPLIANCE ACHIEVED
RESULTS ACHIEVED
• Over 200,000 devices on a dedicated PKI, with end-to-end control of the device fleet from day one of production
• Enrollment integrated into production lines, zero manual operations per device
• A documented 10-year governance track record, with planned and tested board rotations
• IEC 62443 compliance achieved; product certification approved for European industrial markets
• Scalable architecture validated to accommodate expected growth without major overhauls
IDENT1TY APPROACH
• Design of a 3-level PKI hierarchy with an offline root CA on a dedicated physical HSM
• Integration of EST and SCEP protocols into production lines for automatic production winding
• Architecture designed to handle several million annual broadcasts without compromising latency
• Complete documentation of the Certificate Policy and CPS in accordance with IEC 62443 requirements
• Implementation of the MCO with rotation procedures for intermediate board members planned over a 10-year period
PKI · Industry — Connected Devices
Sovereign PKI for a French IoT manufacturer
Design and operation of a public-key infrastructure supporting 200,000 devices over a ten-year period.
Over 200,000 devices deployed
PKI · HSM · EST · SCEP · IEC 62443
10 months + maintenance
• Scale up to several million certificates issued per year without compromising enrollment times
• Design a board hierarchy with a ten-year timeline and planned rotations
• Integrate initial provisioning into the manufacturing process without slowing down the production lines
• Documenting and auditing end-to-end cryptographic governance, IEC 62443
POINTS OF FRICTION
BACKGROUND & ISSUES
A manufacturer of long-lasting connected devices whose original PKI was no longer able to support its growth or meet the compliance requirements of IEC 62443.
The project aimed to rebuild a dedicated, sovereign PKI capable of supporting the existing infrastructure and accommodating projected growth over the next ten years.
95 %
CAMPAIGN COMPLETION RATE
-35 %
EXCESSIVE RIGHTS REVOKED
-60 %
NON-BUSINESS TECHNICAL ROLES
RESULTS ACHIEVED
• A 95% completion rate for review campaigns, compared to less than 60% previously
• 35% of excessive entitlements identified and revoked in the very first campaign using the new model
• 60% of technical roles consolidated or eliminated; role model finally understandable to business units
• SoD conflicts detected and blocked automatically, no more untraced manual exceptions
• ACPR report generated automatically for each campaign, compliance team workload reduced by two-thirds
IDENT1TY APPROACH
• Completely redesigned the role model in collaboration with business teams to create clear and actionable roles
• Implementation of recertification campaigns targeted by risk level, with sensitive access reviewed quarterly
• Development of simplified review interfaces with business context to facilitate managerial decision-making
• Implementation of automatic SoD rules to block incompatible access combinations upstream
• Generation of automated audit reports that can be used directly by ACPR and internal control teams
IGA · Universal Bank — Tier 1
Access Review and Recertification Program
Scaling up IGA campaigns and reducing access debt across 800 applications.
15,000 employees · 800 applications
Windows · Linux · Databases · Networking
18 months
• Non-discriminatory mass validation that creates a risk of non-compliance
• Several thousand technical roles without a clear business counterpart
• Accumulation of rights related to past mobility that have never been cleared
ACPR and European Supervisory Authority expectations regarding the separation of duties
POINTS OF FRICTION
BACKGROUND & ISSUES
A European banking group whose semi-annual access review campaigns were deemed inadequate by the internal control functions. Managers were approving requests en masse without conducting any analysis, a practice that had been flagged by both the internal audit team and the ACPR inspection.
The risk management team wanted to regain control of the role model, which had become unreadable due to a flood of ad hoc requests.