Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 1800-16 (Initial Preliminary Draft)

Securing Web Transactions: TLS Server Certificate Management

Date Published: November 2018
Comments Due: February 18, 2019 (public comment period is CLOSED)
Email Questions to:


Murugiah Souppaya (NIST), William Haag (NIST), Paul Turner (Venafi), William Barker (Dakota Consulting)


This project is using commercially available technologies to develop a cybersecurity reference design that demonstrates how to establish, assign, change and track an inventory of Transport Layer Security (TLS) certificates in medium and large enterprises. Improper oversight of TLS server certificates--which can number into the thousands for a single organization--can cause system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers.

We will use this feedback to help shape the latter volumes of this guide, scheduled for release in full (Volumes A,B,C,D) in the spring of 2019. In the interim, organizations can start adopting NIST's recommended best practices surrounding the oversight of large scale TLS server certificates.



authentication; certificate; cryptography; identity; key; key management; PKI; private key; public key; public key infrastructure; server; signature; TLS; Transport Layer Security
Control Families

Access Control; Audit and Accountability; Configuration Management; Program Management; System and Information Integrity


Prelim. Draft SP 1800-16

Supplemental Material:
Project homepage

Related NIST Publications:
Project Description

Document History:
11/29/18: SP 1800-16 (Draft)
07/17/19: SP 1800-16 (Draft)
06/16/20: SP 1800-16 (Final)