They should inventory every existing certificate before the migration, then require fresh CSR-based reissuance where the trust hierarchy changes. That gives teams a clean record of what was re-established, what was retired, and which assets still need remediation.
Why This Matters for Security Teams
Certificate migrations are audit events, not just technical cutovers. When a CA hierarchy changes, teams lose the ability to prove which certificates were inherited, which were reissued, and which were left behind unless the migration is designed around inventory, ownership, and evidence capture. That matters because machine identities now outnumber human ones in many environments, and audit teams expect a clear chain of custody for each certificate.
NHIMG’s The Critical Gaps in Machine Identity Management report highlights the scale of the problem, including that 59% of organisations face greater difficulty auditing machine identities due to limited visibility and unclear ownership. The same research shows certificate expiry is already a leading cause of outages for 45% of organisations, so migration mistakes quickly become both compliance and availability issues. The right benchmark is not whether the new CA works, but whether the migration produces evidence that stands up during review. Current guidance from NIST Cybersecurity Framework 2.0 supports that approach by tying asset visibility, access control, and governance to measurable outcomes. In practice, many security teams discover missing certificate ownership only after the old trust chain has already been decommissioned.
How It Works in Practice
The practical pattern is to treat the migration as a controlled re-establishment of trust. Start with a complete certificate inventory that captures subject, issuer, serial number, SANs, expiry, deployment location, business owner, and the systems that validate it. Then classify each certificate by migration path: reissue through the new CA, retire because it is no longer needed, or keep temporarily while a dependent system is remediated.
Where the trust hierarchy changes, fresh CSR-based reissuance is the cleanest audit trail because it shows intentional replacement rather than silent certificate cloning. That also makes the post-migration state easier to reconcile against logs, ticketing, and change approvals. The NHI Lifecycle Management Guide is useful here because it frames issuance, renewal, rotation, and retirement as auditable lifecycle steps rather than ad hoc certificate events. For evidence, teams usually need:
- Pre-migration inventory with ownership and dependency mapping
- CSR records for newly issued certificates
- Cutover approvals and validation logs
- Revocation or retirement proof for replaced certificates
- Exception tracking for any temporary legacy trust
The most useful external control lens is the NIST CSF emphasis on asset management and continuous monitoring, because auditability depends on proving what existed before, what changed during, and what remains after the move. This approach aligns well with the NHIMG view that visibility gaps are the main reason machine identity audits fail. These controls tend to break down when certificates are embedded in unmanaged appliances, hard-coded in application bundles, or issued by multiple teams without a shared source of truth.
Common Variations and Edge Cases
Tighter migration controls often increase operational overhead, requiring organisations to balance stronger audit evidence against deployment speed and outage risk. That tradeoff becomes sharper in hybrid estates, where some certificates live in public PKI, some in private CA chains, and some inside third-party platforms that do not expose full metadata.
There is no universal standard for every edge case yet, but current guidance suggests applying the same evidentiary discipline even when the technical path differs. For example, device certificates may need staged re-enrollment, service mesh identities may need workload-level reissuance, and externally managed certificates may require compensating controls such as vendor attestation plus change records. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is helpful when documenting why a certificate was preserved, replaced, or retired under a specific control model.
Auditors will usually care less about the exact tooling and more about whether the organisation can reconstruct the migration decision trail. That means preserving the mapping between old and new trust anchors, retaining revocation evidence, and documenting exceptions for systems that could not be reissued on schedule. The cleanest migrations do not just swap certificates; they produce a defensible record of trust continuity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle control is central to reissue, rotation, and retirement during migration. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential handling must remain traceable across CA changes. |
| NIST AI RMF | Governance and traceability principles apply when certificate migration affects machine identity controls. |
Map certificate changes to access governance records and preserve proof of issuance and revocation.
Related resources from NHI Mgmt Group
- How do organisations reduce outage risk from expiring IoT certificates?
- Should organisations consolidate infrastructure access tooling or keep separate point solutions?
- Should organisations consolidate PKI infrastructure or keep it distributed?
- How do organisations keep terminal-first auth workflows auditable?
