Cryptographic failures have a knack for turning a quiet weekend into a chaotic, all-hands-on-deck emergency. Consider the SHA-1 to SHA-2 deprecation, sometimes referred to as “Shapocalypse,” which sent teams scrambling to reissue thousands of certificates and exposed how many legacy systems weren’t ready for stronger hash algorithms. The major Certificate Authority (CA) distrust events involving DigiNotar in 2011, Symantec in 2017-18, and Entrust in 2024-25 created similar disruption. In each case, organizations had days, not months, to replace critical certificates across their entire production environments.
These incidents highlight a critical truth: crypto agility is the foundation for addressing today’s cryptographic challenges and preparing for the future of post-quantum cryptography (PQC). Without agility, post-quantum safety cannot succeed. Building this foundation is the first and most essential step. As certificate lifetimes continue to shorten, algorithms evolve, and trust anchors shift with little warning, organizations that focus on crypto agility are far better positioned to adapt without disruption.
For many teams, the most significant issues remain hidden until something breaks. Routine discovery often reveals internal CAs that the official PKI team never approved or knew existed, hardcoded keys embedded inside scripts and workloads, or legacy systems that cannot support modern cryptographic curves or key sizes. These hidden risks define the operational reality of enterprise cryptography, and understanding where they exist is the first step toward building crypto agility.
Why crypto agility matters now
Crypto agility goes beyond post-quantum marketing buzzwords and is now widely acknowledged as a critical operational capability. NIST SP 1800-16 highlights the need for organizations to have the capability to replace cryptographic components without breaking everything.
This capability is increasingly becoming a prerequisite for modern security architectures.
- Deep discovery: Find every certificate, key, algorithm, and keystore across your cloud workloads, legacy systems, and everything in between.
- Centralized policy enforcement: Set secure defaults and get rid of risky, one-off exceptions that cause problems later.
- Lifecycle automation at scale: Automate updates, renewals, and replacements for a few systems or a few thousand.
- True replaceability: Swap out algorithms, CAs, or libraries without having to re-architect your applications.
This foundation helps your organization respond to inevitable changes, such as shortening certificate lifetimes, industry-wide algorithm transitions (like RSA to ECC), unexpected CA failures, and post-quantum.
How identity security enables crypto agility
Achieving crypto agility requires visibility, control, automation, and readiness for emerging cryptographic shifts. Identity security provides the framework that brings these capabilities together in a practical, operational way, which is why it plays such a central role in making crypto agility achievable at scale. Together, the following capabilities form the core elements that enable organizations to operationalize crypto agility in practice:
1. Comprehensive discovery across your entire estate
You can’t secure what you can’t see. You need to be able to discover certificates, keys, and algorithms across your entire environment, including cloud, containers, on-prem, and legacy systems.
This is how many of our customers find the hidden risks that lead to outages:
- Shadow CAs using the company name but operating outside of the PKI team’s control.
- Legacy SAP and mainframe systems that can’t handle modern cryptographic curves or key sizes.
- Expiring certificates that were the root cause of past production incidents.
- Hardcoded keys embedded inside scripts and workloads.
We see this happen during live demos. Discovery identifies a looming outage, and attendees have to leave the call to fix it. It’s a powerful, real-time illustration of the visibility gap most organizations face. Modern automated discovery tools can surface these issues in minutes, often during real-time assessments.
2. Best practices to prevent cryptographic failures before they occur
Once you have visibility, the next step is control: centralize policies that define what kind of cryptography is acceptable in your environment. You can set rules for:
- Algorithms and key lengths
- Signing mechanisms and templates
- Approved CAs and issuance workflows
This acts as a guardrail, preventing deprecated algorithms from reappearing in production and non-compliant internal CAs from issuing certificates that browsers will later distrust. Policy is what stops tomorrow’s migration from becoming the next “Shapocalypse.”
3. Automated lifecycle workflows for migration and replacement
This is where teams feel the greatest impact. Historically, cryptographic changes have required a massive amount of manual work. During the Symantec distrust event, some companies had to rotate tens of thousands of certificates under nearly impossible deadlines. Replacing a CA can take years without the right tools.
Here are the benefits of automating the entire process:
- Distributed certificate renewals across thousands of nodes.
- Coordinated mass reissuance during CA changes.
- Algorithm transitions driven by new security mandates.
- Application-safe key and certificate rotation.
Work that once took months of manual effort can be executed in hours, or even minutes. You can finally orchestrate change without the outage risk that comes with doing it by hand.
4. PQC preparedness without premature commitments
The move to post-quantum cryptography (PQC) is on the horizon, but jumping in too early is risky. You need to prepare for PQC practically.
A unified identity security platform can help you:
- Test PQC algorithms safely in isolated lab environments.
- Understand which of your systems, libraries, and HSMs are PQC-ready (hint: most are not).
- Build the automated workflows that will make the future transition predictable and smooth.
The message is simple: crypto agility makes PQC possible. The reverse is not true. Building a foundation of agility is the first and most crucial step.
How organizations are maturing crypto agility practices
Organizations that invest in centralized crypto governance and automation consistently report meaningful reductions in outages, smoother responses to industry-wide changes like CA distrust events, and greater confidence during audits—all outcomes tied to stronger visibility and control across their cryptographic environments.
Several organizations have reported measurable improvements as they’ve modernized their certificate and key management practices. For example:
A large retailer highlighted significant risk reduction:
Karthik Kashyap T H, lead engineer, noted: “Certificate Manager has reduced the certificate expiration outages to almost nil. Just to give an analysis, before 2022, we had a lot of major incidents due to expired certificates. Since 2022, we have had almost zero major incidents wherein we saw a financial impact or business disruption due to an expired certificate.”
A major communications service provider reported broad operational and business impact:
“We have reduced 80% to 90% of our outages with Certificate Manager, which impacts the revenue substantially.”
Taken together, these examples reflect a broader pattern we see across organizations modernizing their crypto operations.
Organizations also experience a reduced burden on PKI, platform, and security teams, along with greater negotiating power with commercial CAs, as switching vendors is no longer a painful, multi-year project.
With the right platform, crypto agility becomes a core operational capability and a genuine competitive advantage. If you are looking to reduce cryptographic risk in your organization, there are four steps you can take right now.
- Run discovery to expose blind spots across certificates, keys, algorithms, and CAs.
- Deploy policy controls to prevent non-compliant crypto from entering your environment.
- Automate lifecycle operations to eliminate manual work and the risk of human error.
- Begin PQC testing to understand your ecosystem’s readiness for the next big transition.
Cryptography underpins everything your business does online. Crypto agility is what ensures its resilience. As cryptographic change accelerates—from shortened certificate lifetimes to PQC—organizations that build crypto agility now will be far better positioned for what’s next.
Nicolas Malbranche is a staff product manager at CyberArk.
