Editing Key management (section)

==Inventory==
{{unreferenced section|date=June 2017}}
The starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates from a variety of sources are deployed in a variety of locations by different individuals and teams - it's simply not possible to rely on a list from a single [[certificate authority]]. Certificates that are not renewed and replaced before they expire can cause serious downtime and outages. Some other considerations:
*Regulations and requirements, like PCI-DSS,<ref>{{Cite web|title=Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards|url=https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss|access-date=2022-02-16|website=www.pcisecuritystandards.org}}</ref> demand stringent security and management of cryptographic keys and auditors are increasingly reviewing the management controls and processes in use.
*Private keys used with certificates must be kept secure<ref>{{Cite web |title=How do you manage encryption keys and certificates in your organization? |url=https://www.linkedin.com/advice/1/how-do-you-manage-encryption-keys-certificates-1c |access-date=2023-09-25 |website=www.linkedin.com |language=en}}</ref> or unauthorised individuals can intercept confidential communications or gain unauthorised access to critical systems. Failure to ensure proper segregation of duties means that admins who generate the encryption keys can use them to access sensitive, regulated data.
*If a certificate authority is compromised or an [[encryption]] algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours.