Automated SSL Management: How EverOps Helped Building Intelligence Eliminate Certificate Downtime

An Inside Look at the AWS-Native Architecture That Eliminated Certificate Failures and Freed Engineering Capacity

Building Intelligence operates the security layer that some of the world's most recognizable organizations rely on to verify every person and vehicle entering their facilities. Their flagship platform, SV3®, gives security teams a unified view of visitors, vehicles, and vendors moving through commercial real estate, convention centers, stadiums, healthcare facilities, and event venues. When a platform sits that close to the trust customers place in physical security, the reliability of its infrastructure carries the weight of every customer relationship.

Over the past year, EverOps has served as Building Intelligence’s strategic partner, helping to mature the company's infrastructure across AWS management, cost posture, and reliability. One concrete piece of that broader engagement was a complete redesign of how SSL certificates were managed, monitored, and renewed across the environment. The result is an architecture that runs quietly in the background and delivers near-zero customer-facing certificate failures.

Read on as we walk through the operational reasoning behind that work and the AWS-native architecture EverOps and Building Intelligence built together to standardize certificate management across the company’s entire environment.

Why Reliability Is the Foundation of Trust for a Security Platform

When a customer encounters a browser warning on a security platform, the implications stretch well beyond a brief technical inconvenience. The moment raises questions about the integrity of the system handling sensitive access decisions, and for a company that holds SAFETY ACT certification and SOC 2 examination status, those questions carry outsized weight. Customer trust is the product, and visible certificate failures degrade that product in ways that cannot be measured by uptime alone.

The operational cost added another dimension to the equation. Each certificate-related incident pulled engineers away from feature work and into manual remediation, sometimes for days at a time. The team needed an approach that would protect customer trust and reclaim engineering capacity together.

Managing Certificates Across a Fragmented Footprint

The technical reality at Building Intelligence reflected a pattern that quietly grows within many fast-moving engineering organizations. Certificate management had accumulated complexity over time as the team responded to new services, new domains, and new vendors. The work was getting done, and the picture of what existed and where had become hard to see.

Multiple Certbot installations were running across EC2 instances and Docker containers, each with its own configuration. Some certificates had been purchased manually from third-party providers and installed directly on servers. Storage locations varied across services, and ownership often lived in tribal knowledge rather than documentation.

Without a single source of truth, though, the team could not reliably answer fundamental questions such as: What certificates were active? When would they expire? Who owned them? How was each one being renewed? Expirations typically surfaced through customer reports of browser warnings, meaning the team learned about failures only after users had already encountered them.

The resolution required engineering judgment under pressure. The EverOps team had to identify the affected service, locate the certificate, determine the renewal mechanism, and restart the right components. The straightforward cases were resolved in minutes. However, the complex ones occasionally stretched into multi-day outages. The work demanded skilled engineers and produced no lasting reduction in risk.

Building a Unified Certificate Management Foundation

EverOps began the engagement with a full audit of every SSL certificate across the Building Intelligence environment, mapping domains, ownership, and management methods to establish a single source of truth. From there, the team designed and rolled out a standardized architecture built on AWS-native services, implemented entirely as Infrastructure as Code and delivered alongside Building Intelligence's engineers throughout each phase of the migration.

Four initiatives anchored the new architecture in total and included the following:

ALB-based TLS termination

All public-facing services sit behind Application Load Balancers, with TLS termination handled centrally at the load balancer layer. Certificate management responsibility lives entirely at the ALB layer, and backend services receive forwarded traffic without participating in TLS handling. Access logs flow to S3 for audit and troubleshooting visibility. To control cost and simplify operations, the architecture uses a single ALB per VPC with forwarding rules and multi-SAN certificate support, allowing the same load balancer to serve multiple domains efficiently.

ACM-managed certificate lifecycle

AWS Certificate Manager handles provisioning and automatic renewal for every certificate in scope. Renewal happens silently in the background, well in advance of expiration, with no human intervention required. Because the entire configuration lives in Infrastructure as Code, the pattern is fully reproducible across products and regions. Any change to the architecture is reviewable, testable, and version-controlled.

WAF integration for defense in depth

AWS WAF sits in front of every service behind an ALB, providing SQL injection protection, cross-site scripting defenses, and a baseline of OWASP-style controls applied consistently across the platform. Security policies are managed centrally rather than configured per instance, which makes coverage easier to verify and easier to evolve as threat patterns change. The result is a single managed security perimeter that every service inherits by virtue of sitting behind the load balancer.

Proactive monitoring and alerting

Grafana dashboards paired with Slack alerting give the engineering team continuous visibility into certificate status, traffic patterns, and security events. Issues then surface internally before any customer is affected. This gives the team time to investigate, validate, and respond on their own schedule, which keeps customer experience steady while routine maintenance happens out of view.

The Impact of Automated Certificate Management

The architecture now spans the Building Intelligence environment, setting the operational baseline for how certificate work is done. Renewals happen on schedule, monitoring catches anomalies early, and the engineering team has space to focus on the higher-value work that moves the platform forward. The outcomes show up across reliability, security, and team capacity.

The most significant results from the engagement include:

• Zero manual certificate-related outages: Services running on the new architecture experience no customer-visible certificate failures that previously surfaced as browser warnings.
• Materially improved uptime and reliability: The environment maintains a strong reliability profile, with certificate-related incidents kept off the operational baseline.
• Standardized WAF protection across services: Every service behind an ALB receives consistent OWASP-style defenses via a centrally managed policy set, providing the platform with a uniform security posture.
• Reclaimed engineering capacity: Engineering time flows to platform features and improvements while the certificate lifecycle runs automatically in the background.

These results have given Building Intelligence the confidence to extend the architecture across the broader environment, knowing that future growth will inherit the same reliability characteristics by default.

How the EverOps Partnership Helped Forge the Outcome

EverOps approached the work as an embedded partner over a year-long engagement spanning AWS management, cost posture, and reliability. The certificate project sat inside that broader scope and benefited from the trust and context the relationship had built. The team operated with full visibility into Building Intelligence's environment and worked side by side with internal engineers throughout the project.

A significant part of the engagement focused on helping Building Intelligence build a real SRE function from its existing engineering practice. The certificate work served as both a technical deliverable and a teaching artifact, with patterns and decisions documented in ways that supported long-term ownership inside the Building Intelligence team. The Infrastructure as Code foundation made the architecture inspectable, modifiable, and learnable for engineers who joined later.

From there, the migration proceeded without disrupting live services or customers, requiring close coordination between the two teams. Ultimately, this allowed EverOps to draw on its expertise in running similar transitions in other environments, while Building Intelligence provided context on its services, traffic patterns, and customer commitments. The combination of the two produced a faster, lower-risk transition than either team would have achieved alone.

Read the Official Case Study 

Building Intelligence now operates on a certificate management foundation that scales with the business. As new products and services come online, the same ALB, ACM, and WAF pattern applies with predictable cost and operational characteristics. EverOps continues to support ongoing infrastructure initiatives as the company expands its platform capabilities and matures its SRE practice.

"We're a security platform, so visible certificate failures hit us in two places at once. They eroded the trust our customers place in us, and they consumed real engineering and support capacity through constant manual remediation. Resolving both of those at once changed how our team operates day to day and reinforced the reliability our customers count on."

— Building Intelligence Representative 

Read the full published case study now to see how EverOps and Building Intelligence built a unified certificate management architecture on AWS, and the operational results it delivered across the environment.

Partner with EverOps 

Certificate management quietly accumulates risk in ways that are easy to ignore until a customer-visible failure forces the issue. If your team is carrying that operational weight, or working to strengthen the reliability of a security-critical platform under similar conditions, our team can help you design and deploy an architecture that runs predictably in the background. Contact EverOps today to discuss how a similar approach could fit your environment.

Frequently Asked Questions

What was the core problem EverOps solved for Building Intelligence? 

Certificate management at Building Intelligence had become fragmented, with multiple Certbot installations, manually purchased certificates, and inconsistent storage locations. EverOps replaced that footprint with a unified architecture built on AWS Application Load Balancers, AWS Certificate Manager, and AWS WAF, all defined in Infrastructure as Code. The result is automated provisioning, renewal, and monitoring across the environment, with customer-facing certificate failures effectively removed from the picture.

Why does certificate reliability matter so much for a security platform? 

A security platform sells trust as much as functionality. When users encounter visible certificate failures on the system that manages access to their buildings, the warning calls the platform's integrity into question. For a company like Building Intelligence, which holds SAFETY ACT certification and SOC 2 examination status and serves stadiums, hospitals, and commercial real estate, reliability at the certificate layer is inseparable from the value the platform delivers.

How does AWS Certificate Manager remove manual certificate management work? 

AWS Certificate Manager provisions and renews SSL/TLS certificates automatically and integrates directly with services like Application Load Balancers. Once a certificate is issued and attached, ACM silently handles renewal in the background, well before expiration. That eliminates the manual purchase, installation, and rotation cycles that once consumed engineering time and created opportunities for human error.

What role does AWS WAF play in the new architecture? 

AWS WAF sits in front of every service that lives behind an Application Load Balancer, providing a consistent layer of protection against SQL injection, cross-site scripting, and other OWASP-style threats. By managing WAF policies centrally rather than configuring defenses per instance, Building Intelligence gained uniform coverage across the platform and a much easier path to evolving those policies as threat patterns change.

What did EverOps contribute beyond the technical implementation? 

EverOps served as an embedded partner throughout a yearlong engagement that helped Building Intelligence build a real SRE function from its existing engineering team. The certificate work served as both a technical deliverable and a teaching artifact, with patterns documented in ways that supported long-term internal ownership. The two teams ran the migration jointly, which protected service continuity and built lasting knowledge inside the Building Intelligence organization.

How does this work connect to broader EverOps services? 

The certificate management project draws on capabilities across Cloud Infrastructure, Security & Compliance, and Observability. Most reliability initiatives at this scale benefit from a similar combination, since durable outcomes depend on architecture, security posture, and operational visibility advancing together.