Client Overview
The organisation is a mid-sized general insurance company operating across two GCC countries, offering motor, health, and property insurance products through a network of 40 branches and a direct digital sales channel. The company has been migrating its core systems to a hybrid cloud environment over the past two years, adding new API integrations with hospital networks, third-party comparison platforms, and a government motor insurance portal.
The Challenge
As the company added cloud-hosted services alongside its existing on-premises systems, certificate management became increasingly difficult to track. Each environment had its own renewal process — in some cases handled by the original implementation vendor, in others by the internal IT team — with no single owner responsible for the overall estate. When the company's health portal experienced a certificate expiry that caused a 12-hour outage affecting claims submission, the incident exposed how fragmented the situation had become. An internal review found that the company held certificates from four different CAs, with renewal dates spread across the year and no automated alerting in place. The local insurance regulator's cybersecurity guidelines, updated that year, required insurers to demonstrate certificate management controls as part of their annual compliance submission.
“We had certificates managed by three different people using three different processes. Nobody had the full picture, and a 12-hour outage on our claims portal made that very clear.”
— Chief Technology Officer
The Solution
eMudhra deployed CertiNext as the company's central certificate management platform, covering both the on-premises environment and the cloud-hosted services. The initial discovery scan found 190 certificates across the estate — 14 of which were expired or within 45 days of expiry with no renewal plan. Automated renewal workflows were configured for each environment, with the company's IT manager designated as the primary approver and the CTO notified for any certificate on policyholder-facing systems. CertiNext consolidated the company's four CA relationships into two, with a private CA deployed for internal service certificates. A compliance report template was set up to generate the certificate governance evidence required for the regulator's annual submission, reducing what had previously been a manual two-day exercise to a 20-minute export.
Results
All 14 at-risk certificates were addressed within three weeks. In the 12 months after deployment, the company experienced no certificate-related outages. The annual regulatory compliance submission included a CertiNext-generated certificate governance report for the first time, which the regulator accepted without follow-up questions. External CA spend reduced by around 25% through CA consolidation and the use of the private CA for internal certificates.
Metric | Before | After |
Certificates under managed governance | 190 across 4 CAs; no central view | All 190 in unified CertiNext dashboard |
At-risk certificates at deployment | 14 expired or within 45-day window | All addressed within 3 weeks |
Cert-related outages | 1 major outage (12 hours) in prior year | Zero in 12 months post-deployment |
Regulatory compliance effort | Manual 2-day evidence compilation | 20-minute report export via CertiNext |
External CA spend | 4 CA relationships; no consolidation | Reduced ~25% through consolidation |
