Dan Cvrcek [Tsvrcheck]

Dan Cvrcek [Tsvrcheck]

I am a left-handed contrarian living by JFDI. I delivered secret and certificate services, DNS automation and WAF protection for Barclays, Sky UK, TSB Bank, Deutsche Bank, or Comcast. With a professorship from Czech Republic and Cambridge University post-doctoral research, I combine startup agility with enterprise experience to transform clients’ operations. I am always interested in talking with people who want to change things.

5 minute read

Certificate Operations Problem Partial automation creates a Stop-Go bottleneck that pulls engineers away from product work—here’s why it happens and how to fix it.

You automated certificate issuance. You set up ACME. You wrote scripts for deployment. You congratulated yourself on solving the certificate problem.

Then your engineers kept getting interrupted anyway.

Welcome to the Stop-Go Bottleneck.

The Automation Illusion

Most teams discover certificate management is painful around the same time—usually after an outage, a failed audit, or a senior engineer rage-quits over spending another Friday night debugging an expired cert.

The natural response is automation. Install certbot. Wire up Let’s Encrypt. Script the deployment. Maybe buy a CLM tool that promises to handle everything.

And it helps. Parts of the process get faster. Issuance becomes automatic. Alerts fire on schedule. The “centralized problem” disappears. You have a new team and they “manage it”.

But the interruptions don’t stop. Engineers still get pulled in. Renewals still take days instead of minutes. The process still feels broken.

What happened?

The 10-Step Reality

To understand why partial automation fails, you need to see what certificate renewal actually involves:

  1. Discovery — Someone notices expiry (alert if lucky, outage if not)
  2. Triage — Figure out what this cert protects and who owns it
  3. Request — Generate CSR, submit to the right CA
  4. Issuance — CA generates the cert
  5. Validation — Verify SANs, chain, expiry, key type
  6. Approval — Change management, risk review, CAB
  7. Deployment — Push to load balancers, ingresses, app servers
  8. Testing — Confirm services work end-to-end
  9. Documentation — Update inventory (almost never happens)
  10. Cleanup — Revoke old cert, remove from systems (never happens)

Typical automation handles steps 3-4. Maybe step 1. Sometimes step 7 if you’ve invested in pipelines.

That leaves six to eight steps that still require an engineer. Each of these steps is an interruption, potentially destroying 1/2 day of a maker. Each interruption means a context switch, re-focus, re-scheduling.

Where the Process Stops

Here’s what we see when teams try to automate their way out of certificate pain:

Host deployment gaps. ACME gets the cert issued automatically. But deploying it to the actual endpoint—load balancer, Kubernetes ingress, legacy app server—requires privileged access, service restarts, or orchestration that isn’t wired up. The automation issues the cert, then stops. Someone gets paged to finish the job.

Change management gates. In any regulated environment, production changes require tickets, approvals, risk reviews. Automated renewals create automated tickets—that sit in a queue until a human approves them. Issuance takes seconds. Approval takes days. The bottleneck moved, not disappeared.

Ownership friction. Who owns this cert? Platform team? App team? Security? Even with good discovery, renewal often triggers a service request to the “right” team. If your CLM tool doesn’t integrate with ServiceNow or Jira, it just creates tickets in the wrong queue. Someone has to triage. Someone gets interrupted.

No source of truth. Without sync to a CMDB or asset registry, automation lacks context. Which app depends on this cert? What’s the blast radius if renewal fails? Is this wildcard still needed? Partial automation renews blindly but doesn’t update relationships or dependencies. Next cycle, same triage. Same confusion. Same interruptions.

A new CLM (certificate lifecycle management) system often equals creation of shadow infrastructure as there’s only one team that can access dashboards and reports. When there is a problem, your incident management team can’t see it.

The Stop-Go Pattern

The result is a process that lurches forward, slams into a gate, stops, waits for human intervention, then crawls forward again. Each “GO” represents 1-2 hours of engineering time.

Issue cert → STOP → wait for approval → GO → deploy to staging → STOP → wait for production window → GO → deploy to prod → STOP → wait for testing sign-off → GO → done (maybe)

Every stop is a context switch. Every context switch pulls an engineer out of whatever they were actually building. The automation runs in the background, but engineers are still getting interrupted multiple times per renewal.

You didn’t eliminate the manual process. You created a hybrid that feels modern to the head of cyber security and broken to your CTO and all engineering teams.

Why This Gets Worse

Certificate validity periods are shrinking. If your current process involves 5 touch points per renewal and you’re renewing monthly instead of annually, you’ve just 12x’d your interrupt load.

Partial automation can’t absorb that. The Stop-Go pattern breaks completely when volume increases. Either you staff up to handle the gates, or renewals start failing because they’re stuck in approval queues.

What Actually Fixes This

The goal isn’t a new dashboard for your PKI team. It’s a smooth end-to-end process for users. It’s eliminating the stops.

Deployment that doesn’t require intervention. Certs flow to endpoints through existing pipelines—GitOps, infrastructure-as-code, orchestration that’s already trusted for production changes. No separate approval for “cert rotation” for repeated changes, because it’s part of normal deployment flow.

Change management that’s built in, not bolted on. Renewals that happen within policy don’t need tickets. Automation generates change records. The approval gate becomes a time gate (restart only within a suitable time window), not a wall.

Ownership that’s encoded, not tribal. Inventory knows which team owns which cert, which services depend on it, what the renewal process should be. No triage step because the system already has the context.

Source of truth that updates itself. Inventory reflects reality because it’s populated by discovery, not humans. Documentation happens automatically. No step 9 to skip.

When all the gates are integrated, the process doesn’t stop. Certs renew in the background. Engineers never know it happened. Zero interruptions.

The Builder’s Time Test

Here’s how to evaluate your current automation:

Count your renewals last month. For each one, count the human touch points—alerts acknowledged, approvals given, deployments triggered, tests run, tickets closed.

Multiply by the number of context switches each touch point caused.

Or put your numbers into our calculator.

That’s your real cost. Not hours on task. Hours of engineering focus destroyed by a process that’s automated in name only.

Your engineers joined to build product. Every stop in your Stop-Go process is time they’re not doing that. The question isn’t whether you have automation. It’s whether your automation actually runs without stopping.

You May Also Enjoy