Selecting a certificate lifecycle management (CLM) platform is one of the most consequential infrastructure decisions an organisation will make. The platform will underpin your ability to maintain digital trust, prevent certificate-related outages, meet regulatory requirements, and prepare for the cryptographic transitions ahead.

The CLM market is evolving rapidly. CyberArk's $1.54 billion acquisition of Venafi in 2024 reshaped the competitive landscape. Keyfactor strengthened its position through two acquisitions in 2025. The CA/Browser Forum's decision to reduce public TLS certificate lifetimes to 47 days by 2029 has made automated certificate lifecycle management a strategic imperative rather than an operational nice-to-have.

This guide maps the major CLM vendors, their products, and their capabilities. It then breaks down the seven licensing models in the market and provides practical guidance on evaluating total cost of ownership. For the fundamentals of what CLM is and why it matters, see our companion guide: What is Certificate Lifecycle Management?.

Defining Your Requirements Before You Evaluate

Before comparing vendors, you need to understand your own environment. The following questions should shape your evaluation:

Certificate estate size and growth: how many certificates are under management today? What is the projected growth over one, three, and five years? Environments with 5,000 certificates have fundamentally different requirements from those with 500,000.

Certificate types: do you need to manage public TLS certificates, internal PKI certificates, device certificates, code signing certificates, S/MIME, or machine identities? Not every platform handles all types equally.

CA landscape: which Certificate Authorities do you use today? Do you operate Microsoft AD CS, EJBCA, or another private CA? Do you use multiple public CAs? A platform that only integrates with its own CA creates vendor lock-in.

Deployment model: do you need on-premises, SaaS, hybrid, or air-gapped deployment? Defence and government environments often require on-premises or air-gapped capability.

Integration requirements: what systems does the CLM platform need to connect with? Consider SIEM, ITSM (ServiceNow), PAM, HSMs, DevOps pipelines, Kubernetes, and cloud providers.

Protocol support: which certificate management protocols does your environment require? ACME for web automation, EST for device enrolment, CMP for telecom/government, SCEP for Microsoft/MDM?

PQC readiness: does the platform support post-quantum cryptography algorithms and provide cryptographic discovery capabilities for migration planning?

Vendor Product Map: Who Provides What

The following section maps the major CLM vendors, their core products, and their key strengths and limitations.

Venafi (CyberArk Certificate Manager)

The dominant enterprise CLM platform, acquired by CyberArk for $1.54 billion in 2024. The product is being rebranded as CyberArk Certificate Manager and integrated into CyberArk's identity security portfolio. Venafi offers TLS Protect (on-premises), TLS Protect Cloud (SaaS), and TLS Protect for Kubernetes (built on Jetstack's cert-manager).

Strengths: 200+ out-of-the-box integrations; proven at over one million certificates; FedRAMP authorised; the broadest discovery and automation ecosystem in the market; SSH key management and code signing governance.

Limitations: does not act as a CA itself; integration complexity is high with 3 to 6 months typical implementation; pricing is opaque and has increased since the CyberArk acquisition; product roadmap now driven by CyberArk's IAM strategy rather than pure PKI.

Keyfactor Command

The primary mid-market alternative to Venafi, with a dedicated CLM platform distinct from EJBCA (its CA software). Keyfactor acquired InfoSec Global and CipherInsights in 2025 for cryptographic discovery and PQC capabilities. Unsung is a Keyfactor partner and works extensively with Keyfactor Command.

Strengths: native EJBCA integration allowing certificate profile management directly within the Command UI; leading PQC readiness with ML-DSA and SLH-DSA support; advanced RBAC; customisable dashboards; ServiceNow integration included; on-premises, SaaS, Azure Marketplace, and air-gap deployment options.

Limitations: not a CA itself (requires EJBCA or a third-party CA); not yet FedRAMP authorised; proven scale ceiling around 500K certificates versus Venafi's 1M+; narrower integration ecosystem (50 to 80 native connectors versus 200+); implementation requires 2 to 4 months.

DigiCert Trust Lifecycle Manager

Built on the DigiCert ONE platform, this integrates CA-agnostic CLM with DigiCert's public trust CA issuance and private PKI services. DigiCert moved to a new unified seat-based licensing model in October 2025.

Strengths: CA-agnostic management (DigiCert CA, Microsoft CA, AWS Private CA, Google CAS); public and private trust from a single platform; UEM integration (Intune, JAMF); quantum-safe certificate support; strong for organisations standardising on DigiCert.

Limitations: SaaS-only with no on-premises deployment option; no air-gap support; per-certificate costs at enterprise scale are prohibitively expensive without DigiCert CA bundling; ACME automation limited to DV certificates; performance degradation reported at peak volumes.

Sectigo Certificate Manager (SCM)

A cloud-native, CA-agnostic CLM platform from Sectigo (formerly Comodo CA). Available as full enterprise SCM and an SMB-focused SCM Pro tier.

Strengths: CA-agnostic; strong ACME support with DNS-based DCV automation; cloud-native and highly scalable; SCM Pro provides flat-rate per-domain pricing for smaller organisations; recognised as a G2 CLM leader.

Limitations: limited on-premises deployment compared to Venafi and Keyfactor; less depth in enterprise ITSM/SIEM integrations; SCM Pro limited to DV/OV certificates; no code signing governance or SSH key management; less suited to very large (200K+) certificate estates.

Entrust PKI Hub

Launched in January 2025, Entrust PKI Hub is an all-in-one container-based virtual appliance bundling a high-throughput CA, CLM (CertHub), enrolment services, OCSP, timestamping, and CA gateway into a single deployment.

Strengths: complete PKI stack in a single appliance; container-based for easy scaling; post-quantum-ready architecture; centralised management console; good for organisations wanting a simplified deployment.

Limitations: newer product with less mature ecosystem and third-party integrations; limited Kubernetes and SIEM/ITSM integration documentation; licensing tiers (X-Small, Small, Medium) may constrain flexibility for rapidly scaling environments.

Certdog (Krestfield)

A UK-developed CA and CLM platform targeting SME to mid-enterprise organisations, with particular strength in Microsoft AD CS environments. Available with a free tier (limited by certificate count) and paid commercial tiers.

Strengths: creates root and intermediate CAs with CRL/OCSP services; direct AD CS and EJBCA integration; REST API for DevOps automation; supports AWS CloudHSM, Azure Key Vault, Google KMS; Windows, Linux, and container deployment; lower cost of entry than tier-1 platforms.

Limitations: lacks large enterprise integrations (no native ServiceNow, Splunk, SIEM connectors); smaller integration ecosystem; no native Kubernetes CLM; less suited to estates exceeding 100K certificates at high concurrency; no publicly communicated PQC roadmap.

Other Notable Platforms

AppViewX CERT+: enterprise CLM automation platform positioning itself as a centralised control plane across hybrid-cloud, multi-cloud, legacy, containers, and IoT environments. Strong workflow automation and crypto-agility features.

GlobalSign Atlas / LifeCycleX: built on GlobalSign's Atlas platform with a unique SAN-based licensing model designed for the 47-day certificate era. LifeCycleX launched in September 2025.

Nexus Certificate Manager: a mature multi-tenant PKI platform deployed across approximately 100 large organisations hosting roughly one billion certificates. Specialises in national eID, citizen identity, and government PKI.

HashiCorp Vault PKI: treats certificates as ephemeral, short-lived tokens generated on-demand via API. Ideal for Kubernetes, microservices, and DevOps but not designed for traditional long-lived certificate management.

AWS Private CA: managed CA service for issuing private certificates within the AWS ecosystem. Not an enterprise-wide CLM solution, but useful for AWS-native workloads.

Microsoft AD CS: free Windows Server role providing basic private PKI. Widely deployed but increasingly limited for hybrid and cloud environments, with no built-in CLM, minimal automation, and no central dashboard.

Capability Comparison Matrix

The following table provides a high-level comparison of core CLM capabilities across the major platforms.

CLM Licensing Models Explained

CLM licensing varies significantly across vendors. Choosing the wrong model can result in costs escalating dramatically as certificate volumes grow, particularly as shorter certificate lifetimes drive up renewal frequency. There are seven distinct models in the market today.

1. Per-Certificate Pricing

Organisations are charged based on the number of certificates under active management per year, typically on top of a base platform licence. This is the most traditional model, used by Venafi (estimated $1 to $8 per certificate plus $100K to $300K base), Keyfactor Command (estimated $1 to $5 per certificate plus $50K to $100K base), and Sectigo SCM at enterprise scale.

Per-certificate pricing works well for small estates but becomes problematic as volumes grow. An estate of 50,000 certificates at $5 per certificate means $250,000 per year in certificate charges alone, before the base licence. The move to 47-day TLS certificates increases renewal frequency eightfold, making this model increasingly unsustainable for many organisations. It also encourages shadow IT, with teams avoiding registering certificates to dodge cost allocation.

2. Seat-Based / Per-User / Per-Device Licensing

Licences are purchased per user, device, or server endpoint, decoupled from certificate volume. DigiCert Trust Lifecycle Manager uses this model (since October 2025), with three subscription tiers, each using a unified seat licence consumed per server, site, or user.

This model provides predictable costs in stable-headcount environments and does not penalise organisations for issuing multiple certificates per endpoint. However, costs scale with headcount growth, and it can still be expensive at enterprise scale for large device inventories.

3. Platform / Component Licensing

Organisations pay a base platform fee with additional charges for individual feature modules. Keyfactor Command uses this approach, where your licence may not include all features and additional components can be added later. Entrust PKI Hub offers three appliance tiers (X-Small, Small, Medium) with a separate certificate volume layer.

Component licensing lets organisations pay for what they use and add features incrementally. The downside is that total cost is difficult to predict without understanding future requirements, and discovering that a needed feature requires a higher licence tier creates unwelcome surprises during procurement.

4. SAN-Based / Domain-Based Licensing

Rather than pricing per certificate, this model charges based on the number of unique Subject Alternative Names (SANs) or FQDNs in use. Multiple certificates covering the same SAN do not increase cost. GlobalSign's SAN Licensing model is the most notable example, explicitly designed for the 47-day certificate era. Sectigo SCM Pro also uses per-domain flat-rate plans for its SMB tier.

SAN-based licensing is future-proofed for short-lived certificates, because reissuing a certificate every 47 days does not increase the licence cost. It is straightforward for organisations managing a defined set of domains. However, it is less flexible for dynamic environments where SAN counts change frequently and may not cover internal PKI certificates.

5. Flat-Fee / Unlimited Subscription

A single annual fee covering unlimited certificate management, regardless of volume, type, or renewal frequency. Garantir launched this model in March 2026 at $99,000 per year for unlimited CLM and $25,000 per year for private PKI, with no cap on certificates, users, or teams.

Flat-fee licensing provides complete cost predictability and encourages full coverage, as every certificate can be monitored without cost penalty. It directly addresses the 47-day certificate challenge. The trade-off is a higher upfront cost for small estates, and Garantir is a newer market entrant with a less established track record than Venafi or Keyfactor.

6. Open Source / Infrastructure Cost Only

The software is free; organisations pay for infrastructure, optional enterprise support, and professional services. EJBCA Community (LGPL), HashiCorp Vault (self-hosted), cert-manager (Kubernetes), and Certdog's free tier all follow this model.

Zero licence cost and high flexibility are the clear advantages. However, the total cost of ownership can exceed commercial platforms when engineering time for implementation, maintenance, and integration is factored in. Community editions lack enterprise SLAs and vendor-backed support.

7. Per-CA / Usage-Based Cloud Pricing

Charges based on the number of Certificate Authorities operated and certificates issued, billed monthly. AWS Private CA uses this model at $400 per CA per month (general-purpose) or $50 per CA per month (short-lived, 7 days or less), plus tiered per-certificate fees.

This works for AWS-native environments with a pay-as-you-grow model and no upfront capital expenditure. However, CA operational costs are fixed regardless of usage, per-certificate costs at scale can exceed commercial CLM platforms, and you are locked into the cloud vendor ecosystem.

Licensing Model Comparison

Understanding Total Cost of Ownership

Licence fees are only part of the picture. When evaluating CLM platforms, organisations should account for:

Implementation and professional services: enterprise CLM implementations typically require two to six months and significant vendor or partner professional services. Venafi implementations tend toward the longer end (three to six months), Keyfactor toward the shorter (two to four months).

Training and onboarding: platform-specific training for security, infrastructure, and operations teams.

Integration costs: connecting the CLM platform to SIEM, ITSM, PAM, HSM, and DevOps systems often requires custom configuration.

Ongoing operations: monitoring, maintenance, support renewals, and platform upgrades.

47-day certificate impact: per-certificate pricing models should be stress-tested against eight times the current renewal frequency. A cost that looks manageable at 398-day validity may become unsustainable at 47 days.

How Unsung Supports CLM Selection and Implementation

Unsung is a vendor-neutral PKI consultancy that helps organisations evaluate, select, and implement CLM platforms. We do not resell CLM software on commission, so our recommendations are driven by your requirements, not vendor margins.

Our certificate lifecycle management services include:

CLM readiness assessment: we evaluate your current certificate estate, management processes, and infrastructure to define requirements and inform platform selection.

Vendor evaluation support: we help you compare platforms against your specific requirements, run proof-of-concept evaluations, and negotiate with vendors.

Implementation and integration: we deliver end-to-end CLM implementation, including discovery configuration, automation workflows, policy setup, and integration with your security tooling.

Migration from legacy systems: we specialise in migrating organisations from manual processes or from platforms like AD CS to modern CLM solutions.

Ongoing advisory: we provide continuing support for CLM operations, platform upgrades, and preparation for 47-day certificate lifetimes and post-quantum cryptography transitions.

Our consultants hold SC and DV security clearance and deliver across central government, defence, financial services, healthcare, and transport. Get in touch to discuss your CLM evaluation or implementation.