person holding phone

They’re Just Not That Into You: 5 Signs It’s Time to Rethink Your PKI Provider

You Don’t Have to Put Up With Hidden Costs and Lackluster Service 

Stop us if you have received a call from the sales representative of your PKI provider informing you that you are above your subscription limit for TLS/SSL certificates and need to purchase more in the middle of your subscription cycle. You’re thinking, “We just renewed the subscription with them and now we are running out of certificates — what’s this?” Now you’re faced with the hassle of finding additional dollars beyond what your budget allocated, getting approval for the expenditure, and coordinating the purchase with your procurement team while your current PKI provider leaves you hanging.

Well, at least it beats your previous provider, which simply stopped issuing certificates once you’d hit your limit, bringing to a halt the launch of your important website.

PKI (Public Key Infrastructure) technologies like TLS/SSL certificates are a critical component of modern network security infrastructure. But dealing with PKI providers often feels like being in a toxic relationship, marked by opaque prices, shady contracting and unreliable customer service.

Is it time to rethink your relationship with your PKI provider? In this article, we’ll review the top five signs — and explain why you don’t have to settle for less than stellar service.

Top 5 Reasons to Leave Your PKI Provider

You might not have seen the warning signs ahead of time, but if you’ve ever renewed your contractual vows with an underhanded PKI provider — or worse, tried to break up with one — you’ve probably experienced some of the following challenges.

1. Opaque Pricing Structures
Many providers offer tiered agreements that cap your certificate usage at a certain count. That works well until you exceed your limit and no one bothers to let you know.

What happens next is often one of two things. Some providers will automatically bump you into the next pricing tier, even if that gives you 200 additional certificates when you only need one or two. Others will force you to go through the procurement process. Maybe you didn’t realize you were running out of certificates, or maybe someone on your team accidentally bought too many. Do you really want to pump the brakes on critical security workflows until you have time to renegotiate? Or live with a massive amount of uncertainty in your annual IT budget?

Reliable PKI providers eliminate surprises with predictable, all-inclusive pricing. They don’t mark up the cost of certificates, and they don’t hit you with massive fees if you go over your certificate count.

2. Surprise Price Hikes
Other pricing games that PKI providers like to play include writing in unnecessary professional service charges or charging different prices for different types of certificates. Some will even discount their rates to get you in the door, then raise them as soon as your contract is up for renewal!

One professional services firm had negotiated an enterprise-level agreement with a leading PKI provider. After 2 two years, they were switched over to a subscription model — and weren’t informed of the change until it was time to renew their contract. The kicker? Subscription pricing would cost at least $150,000 more per year.

Fortunately, there are PKI providers who don’t charge for certificate overages. At HID, for instance, we work with customers to determine a better certificate count for the following year, making renewals seamless and straightforward.

3. Unreliable Customer Service
Bots are perfectly capable of handling low-level account requests. But when you need help scaling your services or fulfilling a custom request, chances are, you’ll want to talk to a human for advice on how best to proceed. 

Unfortunately, connecting with one is no small feat when you work with some providers. Instead, they’ll move you from one chatbot to the next — and charge extra for the privilege of speaking with an actual expert.

By contrast, best-in-class PKI providers make it easy for customers to get in touch. From custom build-outs to general help, they offer expert services without hidden service fees.

4. Cancellation Fees
Need to get out of your contract? Watch out: cancellation fees at some PKI providers can run into the five figures. That’s because unscrupulous vendors will find every excuse not to let you leave: hidden service fees, certificates that somehow weren’t included in your original contract, and so on.

Other providers will threaten you with logistical, not financial, annihilation if you try to cancel, by revoking all certificates at once. That puts IT teams in the never-welcome position of figuring out how to perform a mass migration without impacting your security posture — no small task considering that the average organization manages more than 50,000 certificates!

Reliable PKI vendors don’t try to keep you in a relationship that doesn’t work for your needs. HID enables customers to retain control of their own private root keys so that it’s easy for them to move to another provider, should they choose to do so.

5. Overly-Complex or Expensive Automation Tools
Certificate automation is a must-have in a world where ever-shrinking lifecycles demand an almost continuous cycle of renewal to prevent the outages, inconvenience and security risks caused by their expiration. 

Unfortunately, the automation services that some providers offer are too cumbersome to be useful. Some even charge more for automated certificates! Automation adds value when it enables IT teams to outsource the complexity of certificate management and keep costs predictable and upfront. Don’t settle for anything less.

Dinner For One: When Your Team Is Its Own Worst Enemy

McKinsey research suggests that many companies prefer to buy certificates and manage PKI infrastructure on-premises. Yet while PKI tools are included in the systems that power most enterprise networks, that doesn’t mean it’s free to build, maintain and scale in-house PKI. 

On-premise servers require near-constant maintenance. Visibility is spotty, and requires a substantial workforce to develop the features that are not your core competency. Often system expertise resides in a single individual, leaving organizations with little recourse if that person leaves the company.

You don’t have to settle for shady contracting and hidden fees when you buy PKI certificates. Similarly, you don’t have to settle for clunky methods and hard-to-use tools to maintain your PKI infrastructure. Cloud-based PKI-as-a-Service helps organizations leverage the technology’s power without the administrative headache. Migration from on-premise PKI to PKIaaS is fast and simple because PKIaaS natively integrates with Microsoft tools such as Autoenrollment and AD CS. And once PKIaaS has been implemented, organizations can manage both private and public certificate services through a single cloud-based service — and scale as they grow. 

Your organization deserves better when it comes to security infrastructure. So why settle? Ditch the unfair pricing and unreliable customer service and look for a PKI provider that treats your team with the respect they deserve.

One Price. One Platform. One Place. Simplify your PKI today, with HID >>

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).