Client Overview
The organisation is the digital government authority of a GCC nation, responsible for the shared technology infrastructure that supports e-government services used by citizens and businesses. The authority operates centralised platforms including a national digital identity system, an e-payment gateway, and several cross-agency data exchange services, and provides technology policy guidance to other government ministries and entities.
The Challenge
The authority managed its own certificate estate and also had visibility responsibilities for certificates used on government portals operated by other ministries. In practice, each ministry managed its own certificates with no reporting back to the authority. A national cybersecurity review found expired certificates on the portals of three ministries, as well as on one of the authority's own internal API endpoints. The review report recommended that the authority establish a centralised certificate management capability covering its own systems and providing governance oversight of other government entities. The authority's leadership wanted a solution they could use internally and potentially extend to other ministries on a shared-service basis over time.
“Finding expired certificates on government portals during a national cybersecurity review is not a good look. We needed to fix our own house first and then provide a model that other ministries could adopt.”
— Director of Digital Infrastructure
The Solution
eMudhra deployed CertiNext for the authority's own certificate estate, with a governance model designed to support the future onboarding of other ministries. The initial deployment covered the authority's national digital identity platform, e-payment gateway, and cross-agency API infrastructure — 95 certificates in total. An automated discovery scan identified eight expired or at-risk certificates requiring immediate attention. Renewal workflows were configured with approval routing through the authority's infrastructure team and escalation to the Director of Digital Infrastructure for critical public-facing services. A reporting module was configured to produce certificate posture summaries that could be shared with the national cybersecurity oversight body. The platform architecture was designed to support multi-entity management, enabling other ministries to be onboarded as additional tenants in future phases.
Results
All eight at-risk certificates were addressed within two weeks. The authority presented the CertiNext deployment to the national cybersecurity oversight body as part of its remediation response, which was accepted without further findings. Two ministries have since been onboarded as additional tenants, with the authority providing centralised visibility and governance over their certificate estates.
Metric | Before | After |
Authority certificate estate | 95 certificates; no centralised management | All 95 tracked and governed in CertiNext |
At-risk certificates | 8 expired or approaching expiry | All addressed within 2 weeks |
National cybersecurity review finding | Expired certs identified on govt portals | Remediation accepted; findings closed |
Ministry onboarding (shared service) | No shared certificate governance model | 2 ministries onboarded as additional tenants |
Oversight body reporting | No mechanism for posture reporting | Quarterly posture reports generated via CertiNext |
