Start free trial

By Yair Knijn · February 4, 2025

DORA says you must keep a certificate register. Most CISOs find out theirs is empty.

A CISO at a regulated financial entity reads DORA RTS Article 7, sees the phrase "register of all certificates," and quietly checks the box. There is a CMDB. There is a spreadsheet the platform team keeps. There is the DigiCert or Sectigo portal listing everything issued through the corporate account. One of those, the thinking goes, already is the register.

Then the assessment lands. Someone asks whether the inventory is complete and current for every asset supporting a critical function, and nobody can say yes. A partial inventory is not a head start. Under an auditable obligation it is a finding.

What Article 7 actually requires

The text in Commission Delegated Regulation (EU) 2024/1774 is specific. Financial entities must create and maintain a register for all certificates and certificate-storing devices, at least for ICT assets supporting critical or important functions, and keep it current. It also requires prompt renewal ahead of expiry. Three obligations in one sentence: the certificates, the things that hold them, and a freshness guarantee.

The clause people skim past is "certificate-storing devices." An HSM holding a signing key. A load balancer terminating TLS. A Windows host with private keys in its certificate store. An appliance carrying a baked-in client cert for mutual TLS. Each one is in scope. A register that lists certificates but never says where their private material lives does not satisfy the article.

Why your CMDB and CA portal fall short

A CMDB records what someone bothered to enter. It is accurate the day a CI is created and decays from there. Certificates rotate on their own cadence, get reissued mid-incident, and get provisioned by teams who never touch the CMDB. The CA portal has the mirror-image blind spot: it shows what that one CA issued. It cannot see a cert from a second public CA, an internal Microsoft AD CS hierarchy, a self-signed cert someone made with openssl at 2am, or a Let's Encrypt cert an app team automated without telling anyone.

Neither source proves completeness, and completeness is the entire point. An auditor does not grade you on the certs you remembered. They grade you on the ones you missed.

The discovery gap

The dangerous certificates are the ones no register ever recorded, because you cannot renew what you do not track. Those are the ones that take a critical function offline on a Sunday. The usual suspects:

Closing that gap takes active discovery: scanning your address space and certificate transparency logs, querying each host's local store. Transcribing what people already wrote down does not count. A register built by hand from existing lists inherits every omission those lists already carried.

A register an auditor and a 2am responder both trust

One artifact has to serve two readers. The auditor wants evidence of completeness, currency, and a renewal process that runs ahead of expiry. The on-call engineer, mid-outage, wants to know which cert just expired, what it secures, where its private key lives, and which CA reissues it. Satisfy one and not the other and the register is not done. Record the issuing CA, the SANs, the key location, the owning team, and the renewal mechanism for every entry.

Automate Certificates builds the register by discovery rather than data entry. Each Environment continuously scans your hosts, CAs, and CT logs, captures where private keys sit, and tracks renewal so prompt renewal becomes a property of the system instead of a reminder someone forgot. The goal is not passing one DORA assessment. It is keeping the register true between them. See how the discovery and inventory works.