ManageEngine automates the last mile of TLS certificate renewal, where most outages actually happen

CYBERSECURITYMANAGEENGINEKey Manager PlusTECHPLUGGED.COM

ManageEngine has closed the gap that quietly causes most certificate-related outages: what happens after the certificate is renewed.

The Zoho division announced post-deployment automation for TLS certificates in Key Manager Plus, its certificate lifecycle and machine identity management tool. The software now pushes renewed certificates to the target server, runs configured scripts, restarts dependent services, and notifies stakeholders – end to end, no human in the loop.

The unglamorous problem

Certificate automation has largely been solved at the front end. Discovery, issuance and renewal are well-trodden ground – ACME and Let’s Encrypt made that much routine years ago.

The last mile stayed manual. A certificate gets renewed successfully, sits in a vault, and never reaches the load balancer. Or it reaches the server but nobody restarts nginx. Two months later something expires in production at 2am and an engineer is SSH-ing into boxes trying to work out which service is holding the stale cert. Anyone who has run infrastructure has lived through some version of this.

That gap is getting more painful, not less. Certificate lifetimes have been shrinking steadily across the industry, and every reduction multiplies the number of renewal events a team has to survive. Manual last-mile steps that were tolerable at one renewal a year become untenable at six.

CA-agnostic is the pitch

ManageEngine is positioning the feature as certificate-authority-agnostic, which matters more than it sounds. Most enterprises don’t run one CA – they run an internal PKI for machine identities, a public CA for external-facing services, and something inherited from an acquisition that nobody wants to touch. Automation locked to a single CA solves a third of the problem and leaves the messy two-thirds alone.

Vasudevan Seshadri, director of product management at ManageEngine, is the named spokesperson on the announcement.

The catch

Zero-touch automation that restarts production services is a double-edged tool. “Runs configured scripts and restarts dependent services” is exactly the sentence that ends with an unplanned outage if the dependency graph is wrong. ManageEngine hasn’t detailed rollback behaviour, staged rollout, or what happens when a restart fails halfway through a cluster – the things that separate an automation feature from an automation incident.

It’s also a crowded space. Venafi, Keyfactor and the cloud providers’ native certificate managers all cover overlapping ground, and enterprises with real PKI problems usually already have something. The pitch here is consolidation for shops already inside the ManageEngine estate.

Still, going after the boring last mile is the right instinct. It’s where the pager goes off.