Proactive PKI Health, Posture & Security Monitoring for CAs, HSM and End Points

Maintaining trust across your environment depends on how well you monitor your PKI stack such as ADCS, MS Cloud PKI, SSL endpoints, and HSMs. These components underpin identity, access, and secure communication for the entire organization, yet they are often the least monitored, creating blind spots that can directly impact confidentiality, integrity, and availability.

With PKI Insights you get:

  • 24×7 ADCS health & posture monitoring to ensure CA availability, configuration integrity, and secure operations
  • SSL endpoint monitoring to detect expiring, weak, or misconfigured certificates
  • Dedicated HSM monitoring to safeguard key usage, availability, and operational health
  • Certificate Lifecycle Management (CLM) to automate certificate issuance and renewal across infrastructure

Alarming PKI Facts

2021 – Global PKI & IOT Study

  • 46% organizations lack PKI skills
  • 71% organizations have no clear ownership in managing PKI
  • 50% of digital Certificate issuance has risen since 2019

2020 – Impact of Unsecured Digital Identities

  • 73% of security professionals admit digital certificates still cause unplanned downtime and application outages

Why choose PKI Insights?

Comprehensive PKI Monitoring & Analytics

PKI Insights investigates your PKI against 250+ standard PKI health checks keeping your PKI health in check. Monitor all of your HSMs, Endpoints & CAs centrally from a single pane of glass anytime, anywhere.

Discover hidden PKI problems

Get clear, concise, and interactive dashboard to check your PKI health. Track peak issuance hours, failure trends, and critical PKI issues effortlessly.

Certificate Lifecycle Management (CLM)

Automate the end-to-end lifecycle of all certificate’s issuance, renewal across ADCS and web servers. PKI Insights ensures certificates are always valid, reduces manual effort, prevents outages from expired certificates, and enforces policy compliance across your digital trust infrastructure.

Governance & Best Practices

Enable your PKI teams to audit, review, and optimize ADCS operations against standards like NIST, ISO, Web Trust, PCI, HIPAA, NAESB, and NIS2, ensuring policies and configurations remain fully compliant.

How PKI Insights works?

PKI Insights consist of 3 core components:

  • PKI Insights Portal: Browser based access to data, graphs and reports
  • PKI Insights Engine: Performs complex PKI checks against the CA’s data
  • PKI Insights Storage: Database where all PKI data is kept for analysis

The overall processing logic is quite simple:

  • PKI Insights examines your PKI as a continuous polling process
  • It regularly polls the configured CAs and fetch raw, latest certificate data
  • The raw data is processed and stored as searchable, meaningful data
  • Finally PKI Health checks are performed on the stored data
  • PKI Admin can now open the portal and see live meaningful, graphical PKI trends

11 Key Features

Features you get from PKI Insights

  • Get 360° View

    Get an overall health of your ADCS PKI, Microsoft Cloud PKI, SSL Endpoints & HSM by:

    Detecting anomalies
    Accessing all CA data from one dashboard
    Filtering data via searchable portal
    Stats on certs, failures, templates, uptime
    Follows CA/B Forum SSL guidelines

  • Analyze Trends

    Get insights across multiple PKI areas:

    CA Up/Down
    Failed Calls
    ADCS Events
    Certificate Issuance (valid/expired)
    Templates & Revocation
    Issuance Trends
    Key Algorithms & Public Key Length
    Expiring Certificates (7/30/90 days)

  • Performs 250+ PKI Health Checks

    PKI Insights detects a wide range of PKI issues:

    Digital Signature Algorithms
    Public Key Algorithms (RSA, ECDSA)
    Certificate Lifespan Issues
    Issuance Failures
    Deviations from RFC 5280

  • Detection of ADCS Exploits

    Detects SpecterOps ESC misconfigurations and PetitPotam relay risks to prevent privilege escalation or domain compromise.

  • Proactive Alerts

    CA / HSM health changes
    Template updates & high-value cert issuance
    Certificates from unpublished templates
    Long lifespans / policy mismatches
    CRL & OCSP uptime
    Suspicious issuance patterns
    Expiring certificates
    Daily Summary Reports

  • SSL Endpoint Monitoring

    Tracks all SSL/TLS endpoints for expirations, weak configs, and risks to prevent outages and MITM attacks.

  • HSM Monitoring

    Real-time monitoring of Thales, Entrust, and Utimaco HSMs status, partitions, firmware, and key activity.

  • Certificate Auto Renewals

    Automates certificate renewal and deployment for IIS, Nginx, Apache HTTP, and Tomcat preventing outages.

  • Microsoft Cloud PKI Monitoring

    Monitors Microsoft Cloud PKI issuance and health, providing unified hybrid PKI visibility.

  • Serves Multiple PKIs

    Manage multiple CAs, HSMs, and endpoints from a single unified PKI Insights deployment.

  • Standard Based

    RFC 5280
    RFC 6560
    CA/B Forum SSL Guidelines

  • Secure Access

    Access via TLS client authentication, password less, secure, multi-browser, unlimited user access.

  • Crypto Agility

    RSA (2048 / 4096 / 8192)
    ECDSA (192–512)
    SHA-1 / SHA-256 / SHA-384 / SHA-512
    Dilithium (PQC)

Deployment

  • Supported OS

    All flavors of Windows CA Server (2016, 2019, 2022)

  • Languages

    Supports Multiple Languages (English, Chinese, French, Spanish, Croatian etc.)

  • Minimum H/W Requirement

    8 GB RAM, 2 vCPU (2.3 GHz), 10 GB disk space

Words from Client

Leading companies rely on us for their PKI and digital signature needs

Using PKI Insights from Codegic has significantly improved our visibility into ADCS operations, helping us detect and respond to Microsoft CA issues with greater speed and confidence. Beyond the intuitive dashboards and actionable alerts, what truly stands out is the excellent quality of the product, the professionalism of the team, and their consistently responsive support. These qualities have made Codegic a trusted long-term IT partner for our organization.

Michel Rendine, Ingénieur systeme, CHEM.

Pricing

  • PKI Insights is charged per bundle
  • Each bundle allows you to deploy 2 instance of PKI Insights
  • To add more servers in your existing pool; Add more bundles OR Buy a single server instance at 50% of the bundle price
  • Test environments or Staging environments are charged 20% of the price

Maintenance Plan

With active annual software maintenance plan:

  • Keep your installation safe and secure with the latest security updates
  • Get free access to the newest features, enhancements, and bug fixes
  • Get premium support from our technical engineers (within 24 hours on business days)

Has your maintenance expired?

Want to renew your maintenance plan? The price for 12 months is 25% of your license’s (current) list price.

Save more with extended supported

  • Extend for 24 months and save 10%
  • Extend for 36 months and save 15% best value

FAQ

Can I get false alarms?

Chances of that are pretty low as all checks are based on PKI standards. If you want certain alarms to be ignored, do let us know.

Where does PKI Insights store its data?

PKI Insights works in a non intrusive way. PKI Insights pulls certificates from the CA at regular intervals and makes a local copy of it. This is then synched at regular intervals as well. All statistics is then calculated on this database. We support PostgreSQL for storing certificate data. If your company uses some other DBMS let us know and we will support it.

What digital certificate processing speed should I expect?

PKI Insights is capable of processing 100+ certificate/second or around 0.3 million certificates per hour. Once initial processing is done, detailed investigation (250+ checks) is performed in parallel and as its time complex process hence could take few more hours to finish.

How many CAs can be investigated with a single deployment?

There is no limit on the the number of CAs to be investigated with a single deployment of PKI Insights.

Is it possible to implement custom rules for my PKI?

We are open to any specific checks to be implemented for your PKI. If you also want a specific report to be generated do let us know as well. Speak to us and we’ll implement it for no extra charge.

Can I configure PKI Insights to stop for a certain time slot?

PKI Insights is designed to work as a continuous PKI health check tool. All you could do is to reduce the polling period but you can’t stop it for a time interval.

Do you support languages other than English?

Yes, do let us know the language of your choice and we will set it up for you.

Can PKI Insights integrate with CA's other than Microsoft?

Sure, let us know which PKI you want us to integrate with.

My PKI is perfect but due to 'failed calls' it's health rating is at 'C', what can be done?

PKI Insights allow you to set rating parameters as well. This can done by setting the failed calls threshold value to a much higher value hence reducing its impact on overall PKI health.

What risks I have while using PKI Insights?

Note that PKI Insights only communicates with Microsoft CA using the standard communication channel. PKI Insights doesn’t integrate with your CA’s database directly. If you already have more than 1 million certificates in your system then we recommend you to run PKI Insights at off-peak hours to reduce the chances of us slowling your CA, although the chances are fairly minimal as we process certificates in batches of 100 (configurable). After that PKI Insights polls after 5 seconds (configurable) to fetch any new certificates. As PKI Insights doesn’t interrupt your CA directly and it also reads data hence the risk of PKI Insights impacting your CA performance is fairly minimal and close to none.

Can the alerts be pushed to central logging system?

Yes, for traceability, alerts can be pushed securely to your central logging systems e.g. Splunk, Grafana, Greylog, LogRhythm etc.

For a PKI health issue, how quickly will I get an alert?

You should get an alert email in less than a 30 seconds and in worst situation in a minute.

My PKI Insights database is getting huge, can this be reduced?

PK Insights statistical data depends upon the certificate and alerts data it is accumulated from the CA. Removing data would means older statistical information will not correctly represent your PKI data. For example if you want one year old data to be removed then graphs/ data listings will not show that information. Let us know how much older data is to be removed and we will guide you further.

Can multiple PKI administrators login and get reports & alerts?

Sure, you can configure any number of administrators to authenticate and access the PKI Insights portal plus get alerts and summary emails for all of them.

How is PKI Insights installed?

PKI Insights comes bundled with a simple to use installer program. The installer also auto-detects the CA on the network and lets you link it with PKI Insights. For configuring more than one CAs, you may setup the PKI Insights configuration file to add more CAs.

I am getting a PKI health rating of 'A' should I stop running PKI Insights?

As long as your are running your PKI for production and issuing digital certificates you must keep PKI Insights running to ensure these are analyzed to keep your PKI free from security issues.

We generate thousands of X.509 digital certificates/hour for IOT. Can we get health check reports every hour?

Yes, PKI Insight allows the time duration after which a summary report is created. You can hence set the interval in minutes even.