The Ghost in the Switch: Why Hidden Expired Certificates Are the #1 Risk to SOC 2 Compliance

The Ghost in the Switch: Why Hidden Expired Certificates Are the #1 Risk to SOC 2 Compliance

The Certificate Nobody Remembered

Every engineer who has ever troubleshot a 3 a.m. outage knows the feeling. The dashboards are red. A regional VPN concentrator will not negotiate new sessions. The edge router is refusing management plane connections. The SIEM stopped pulling logs from a stack of core switches four hours ago, and nobody noticed because the SIEM itself is still happily collecting everything else. Hours later, after someone finally runs openssl s_client against the device, the truth comes out: the identity certificate baked into that switch in 2021 quietly expired last night.

This is what we call a ghost in the switch. It is not a theoretical attack. It is not a sophisticated adversary. It is a forgotten X.509 certificate on a piece of infrastructure that nobody has logged into in three years, which means nobody saw the expiration warning, which means the first indication of a problem is downtime — or worse, a SOC 2 auditor asking why your chain of evidence has a gap.

In almost every compliance engagement we see, the conversation about machine identities is the one that derails the room. Not the firewall rulebase. Not the password policy. Not the endpoint detection coverage. The conversation about who owns which certificate, where it lives, when it expires, and what audit trail proves that it was rotated on time. That is where SOC 2 Type II audits go quiet.

Why Internal Certificates Are the Blind Spot Nobody Talks About

If you ask most teams whether they track certificates, they will confidently answer yes. What they actually mean is that they track the certificate on their public website and maybe the API gateway. Those are the ones that page somebody when they expire because browsers and customers notice instantly. Those certificates are public, scrutinized, and usually managed by a commercial CA with renewal reminders loud enough to wake the dead.

The problem is not the public certificates. The problem is the private ones.

A mid-sized enterprise running 200 network devices typically has between 4,000 and 15,000 internal certificates deployed. Each router, switch, firewall, VPN concentrator, wireless controller, and out-of-band management card ships with a factory identity certificate. Operations teams replace some of them with enterprise-signed identities for SSH host keys, HTTPS management interfaces, 802.1X supplicants, EAP-TLS authentication, RADIUS server certs, or SNMPv3 trust anchors. Most of those identities are rotated once during deployment and then left alone. Nobody tracks them because the dashboard they sit on does not exist.

These are the ghosts. They authenticate automated tools. They prove device identity to the network access control system. They gate the NETCONF sessions that push configuration. They are the silent plumbing of the zero-trust architecture that your compliance report claims you run — and half of them are invisible to the team supposedly responsible for them.

The SOC 2 Audit Angle: Why Auditors Care About Certificates

A SOC 2 Type II audit is not a point-in-time assessment. It is a sustained evaluation of whether the controls described in your system description actually operated, continuously, across the audit window — typically six to twelve months. That word "continuously" is doing a lot of work. It means every time a privileged session happened, every time a configuration was pushed, every time a network device authenticated to the identity store, the control had to be there, and you have to be able to prove it.

Where certificates come in is simple. The Trust Services Criteria that most SOC 2 audits exercise — Security, Availability, Confidentiality, and Processing Integrity — all rest on the assumption that system-to-system communication is authenticated and encrypted. CC6.1 covers logical access. CC6.6 covers transmission of confidential information. CC7.2 covers the monitoring of system components. None of those controls function if the underlying machine identity has expired, been replaced without rotation of dependent trust stores, or cannot be traced back to a deliberate approval event.

Here is the test an auditor will eventually run: "Show me the evidence that the certificate on core-switch-04 has been in a valid state throughout the audit period, that any rotation events were approved by an authorized party, and that the private key associated with it has been protected against disclosure." If your answer involves opening a spreadsheet and searching for "core-switch-04," the audit is already in trouble. Not because the control has failed, but because the evidence supporting it is not continuous and is not tamper-evident. Auditors cannot accept a spreadsheet that an engineer could have edited last night to make the numbers line up.

The Line in the Sand: Platform Ownership vs Tenant Responsibility

One of the most consequential conversations we have with customers is about where the line falls between what the platform owes them and what they owe the platform. We call it the Line in the Sand, and it is the single most common source of audit finding confusion in multi-tenant managed services.

On the platform side of the line, the provider is responsible for the shared control plane: the PKI roots, the tenant isolation boundary, the cryptographic modules, the audit log pipeline, the physical and environmental controls on the underlying hosting facility. When a customer asks "is Innovexus SOC 2?", what they are really asking is whether the platform side of the line carries its weight. That answer is inherited from the hosting partners and the platform controls, and it is what the /compliance page documents in precise, attributable language.

On the tenant side of the line, the customer is responsible for the identities, policies, and evidence of their own operation: which users hold which roles, which devices belong in which pod, when privileged access was granted and revoked, how the rotation schedule for their own certificates is approved and executed, and how the audit trail for their own tenants is preserved and exported. No platform can take those responsibilities from the customer — a SOC 2 auditor will ask the customer directly about them, and a "the vendor handles it" answer is not acceptable.

The Line in the Sand matters because it is where almost every audit finding lives. A customer assumes the vendor's compliance report covers something it does not. Or a customer never sets up a tenant-side rotation workflow because they assume the platform will warn them automatically and somebody was supposed to check the inbox. Or — most commonly — a customer cannot produce evidence of tenant-side activity because the evidence lives in three different systems that were never cross-referenced.

The fix is structural. A well-designed platform makes the line explicit. It surfaces tenant-side responsibilities in the same interface where platform status is shown. It generates tenant-side audit records in the same format as platform audit records. It does not require the customer to build their own evidence pipeline — because that is the pipeline that always breaks first.

The Chain of Evidence: What Auditors Actually Want

Ask any experienced SOC 2 auditor what separates a clean audit from a painful one, and the answer will almost always be the same: the chain of evidence. Not the controls themselves — most organizations have controls. Not the policies — most organizations have policies. The chain of evidence is the continuous, tamper-evident, cryptographically ordered record of every event that touched a covered system, with enough context attached that a reviewer two years from now can reconstruct what happened, who did it, why they were allowed to, and whether the result matched the intent.

Spreadsheets cannot do this. Ticketing systems cannot do this on their own. A shared drive full of PDFs cannot do this. The chain of evidence has five properties that, together, almost nothing built in-house can deliver:

• Immutability: events cannot be retroactively edited or deleted. Once a rotation event is recorded, no engineer has a credible path to alter that record after the fact.
• Attribution: every event is tied to a specific identity — human or machine — with strong authentication behind it. Anonymous actions are a finding, always.
• Context: every event carries enough surrounding state that a reviewer does not need to correlate across systems by hand. What device, what config version, what policy was in force, what approval preceded it.
• Chronology: events are timestamped from a trusted clock source and ordered in a way that cannot be silently reshuffled. Gaps in the timeline are themselves findings.
• Exportability: the full trail can be produced on demand, in a format that the auditor can consume, without the operations team building a custom query for each question.

What most organizations present to auditors during their first SOC 2 engagement is some approximation of these properties assembled in a hurry from whatever systems happened to be logging at the right time. The gaps get papered over with written narratives. The auditor writes up the gaps as findings and hands back a report that is technically passed but privately embarrassing.

What a mature compliance program presents is a unified audit trail that was designed from day one to be the chain of evidence. Every privileged session leaves a record. Every certificate rotation leaves a record. Every policy exception leaves a record. Every configuration change leaves a record. The records are in the same store, the same format, the same clock domain, and they are searchable end-to-end by the audit team without asking engineering for help.

How Hidden Certificates Break the Chain — and How to Rebuild It

When a certificate on a core switch expires silently, several things happen to the chain of evidence at once. The device drops off the authenticated management network, which means subsequent configuration changes may happen through a degraded or unauthenticated path — no record, or a record that cannot be tied to a specific operator. The SIEM loses visibility because TLS-protected log forwarding fails, which means a gap opens in the continuity of monitoring evidence. The automated change-control tooling starts returning errors that get snoozed by an on-call engineer, which creates a second gap: the snooze is undocumented, the underlying condition is undocumented, and the fact that both happened together is undocumented.

From the auditor's perspective, the question is not whether the certificate expired. Certificates expire, and a healthy system has a rotation cadence that sometimes slips. The question is whether you can produce a timeline that shows: the expiration was detected, the detection was attributed to a specific monitoring control, an approved responder was notified, the rotation was performed by an authorized operator under a documented change window, and the audit trail itself did not silently suppress evidence during the affected window.

That is a five-step chain. Each step is a separate control and each step has to leave its own record. Almost no organization builds that chain from scratch. It is the kind of thing that has to be baked into the platform layer by design — because every link is owned by a different subsystem and losing any one of them retroactively breaks the evidence for everything downstream.

Rebuilding the chain after the fact is possible but expensive. It requires pulling network device logs, correlating them with configuration archives, cross-referencing with ticketing records, and writing a narrative that explains every gap. The auditor will accept that narrative if it is compelling. They will note the finding anyway, because the point of SOC 2 is that the evidence should not require a narrative.

What a Unified Audit Trail Looks Like in Practice

A unified audit trail — the kind of thing a mature platform provides — collapses the chain of evidence into a single stream. At Innovexus we think about this as four layers that have to line up:

1. Identity layer: every action is attributable to a specific user or service principal, authenticated by an identity store that the platform operates and the tenant inherits. No shared credentials, no role account logins, no "the system did it" records.
2. Session layer: every privileged session — SSH, console, web UI, API — is recorded with full command-line fidelity, tied to the identity that opened it, and associated with the specific device or tenant scope where it acted.
3. State layer: every change to device configuration, policy, or infrastructure state is snapshotted before and after, linked to the session that caused it, and retained for the full audit window.
4. Evidence layer: every event from the three prior layers is written into a log store that is append-only, cryptographically ordered, and exportable to the auditor in a format they already know how to read.

When a SOC 2 auditor asks for evidence of a specific control — for example, that the certificate on core-switch-04 was rotated under an approved change during the audit period — the answer is a single query against the evidence layer that returns the session record, the state diff, the approving identity, and the timestamp range in which it all happened. No cross-system correlation. No narrative. No "let me check the spreadsheet." Just evidence.

That is the difference between a platform that makes SOC 2 easier and one that treats SOC 2 as the tenant's problem. Both are legitimate business models. Only one of them lets a small NOC team pass a Type II audit without adding a full-time compliance engineer.

Closing Thoughts: The Ghost Is Preventable

The machine identities on your internal switches and routers are not going to audit themselves. They are not going to rotate themselves. And they are not going to generate their own evidence. The only path to making them compliance-ready is to treat them as first-class citizens of the operations platform — visible in the same dashboard as everything else you monitor, tied to the same identity and session model as the humans who touch them, and written into the same audit trail that the auditor is going to ask for six months from now.

At Innovexus, every tenant pod includes the machine identity layer in the default control plane — certificates on managed devices are inventoried, their expiration is monitored in the same dashboard as everything else, and every rotation event is written into the unified audit trail on the tenant's side of the Line in the Sand. That does not make SOC 2 automatic — no platform can — but it turns the hardest part of the evidence problem into a query instead of an archaeology expedition.

If your team is approaching a Type II audit window and you are not sure where your internal certificates live, who owns them, or how you would prove their state on a specific date last quarter, the time to find out is now, not during the audit. Request a pod walkthrough and we will show you where the ghosts are before the auditor does.

Innovexus provides a unified NOC/SOC platform with a built-in chain of evidence — identity, session, state, and audit trails in one tenant pod. SOC 2 Type II compliance posture is documented at /compliance. Schedule a demo or compare against your current stack.