Security
Getting a Certificate Is a Supply Chain, Not a Download
Requesting a TLS certificate in an enterprise isn't a download — it's a multi-party process with approvals, metadata that has to be exactly right, formats that differ per consumer, and a handoff to whoever installs it. That friction is precisely why certificates lapse, and why automating it matters.
- Security
- PKI
- Certificates
- Operations
The first time you request a TLS certificate through a real enterprise PKI, the shock is how little it resembles “download a file.” It’s a process with multiple parties, an approval step, metadata that has to be exactly right or the cert is wrong, a download in whatever format each consumer needs, and often a handoff to a different team that actually installs it. Writing down that workflow made something click: a certificate is a supply chain, not an artifact, and that supply chain’s friction is the real reason certs quietly expire and take services down.
A request is a form with consequences
You don’t “get” a certificate; you request one, and the request carries metadata that becomes load-bearing. The common name and subject-alternative names have to match exactly how the cert will be used, or TLS fails later in confusing ways. There’s a policy folder or zone that controls issuance, an application identifier for tracking, contacts and approvers, key parameters. Get any of it wrong and you don’t find out at request time — you find out weeks later when a handshake breaks or a renewal goes to the wrong place. The request form is where most certificate problems are actually born, long before anything is installed.
A certificate isn’t issued the moment you ask. It’s issued after the right people approve the right metadata — and any of it being wrong is a future outage.
Approval is a queue you don’t control
After you submit, you wait. Issuance routes through an approval — a person or a team that signs off — and that step has latency entirely outside your control. This is the part that wrecks plans: if you treat getting a cert as instant, you schedule the cutover for the day you need it and discover the request is still “pending approval.” Certificates have lead time, and the lead time isn’t yours to compress. Plan cert work the way you’d plan anything with an external dependency in the critical path: start early, and don’t promise a date that assumes instant issuance.
One cert, many formats
Then there’s the format tax. The same certificate has to be delivered differently depending on what consumes it: a PEM file and a separate key for one kind of server, a Java keystore for another, a PKCS#12 bundle for a third — sometimes with the private-key password stripped, sometimes split apart with a couple of openssl incantations. The cert is one logical thing; the artifacts you produce from it are many, and each consumer is particular. Knowing in advance which format each target needs — and that producing it is its own fiddly step — is the difference between a smooth install and an afternoon of “why won’t it load the key.”
You request it; someone else installs it
The handoff surprised me most. For some targets — load balancers especially — you don’t install the cert at all; you request it and then hand it to a different team that applies it. So the supply chain has a literal organizational boundary in the middle: the requester and the installer are different people, and the cert has to be delivered across that seam in the right form with the right instructions. Any process with a handoff between teams has a place where things stall, get dropped, or go in miscommunicated. Knowing where that boundary is — and who owns each side — is part of operating the supply chain rather than being surprised by it.
The friction is why certificates lapse
Put it together — a metadata-laden request, an approval queue, per-consumer formats, a cross-team install — and you’ve described a process with enough friction that nobody wants to do it more often than forced. That friction is exactly why certificates expire and take production down. The renewal is the same multi-step slog as the original request, so it gets deferred, and a deferred renewal becomes an outage on the expiry date. Understanding the supply chain reframes expiry: it’s not forgetfulness, it’s friction, and the durable fix is the same as for any high-friction recurring task — automate it, so renewal isn’t a manual trip through the whole chain every time. That’s the whole argument for making certificates renew themselves: you can’t remove the supply chain, but you can stop walking it by hand. Map your cert process end to end — request, approve, formats, install, owners, lead time — and you’ll both stop being surprised by it and know exactly which parts to automate first. If you’ve untangled an enterprise cert workflow, I’d like to hear how it’s structured.