Who is accountable for certificate lifecycle in connected vehicle security?

The teams operating the vehicle platform, its update pipeline, and its connected services are accountable for certificate issuance, renewal, revocation, and retirement. If those responsibilities are unclear, trust persists after ownership changes and attack paths remain open. Lifecycle ownership is part of the security model, not a back-office detail.

Why This Matters for Security Teams

Certificate lifecycle in connected vehicle security is not just about keeping TLS working. It determines whether a vehicle, telematics service, update pipeline, or backend API can still prove its identity after ownership changes, supplier turnover, or a compromised issuance path. When accountability is vague, renewal may happen without review, revocation may be delayed, and retired certificates may continue to authenticate long after they should be dead. That creates durable trust in systems that are supposed to be continuously verifiable. Guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s NHI Lifecycle Management Guide both point to the same operational reality: lifecycle ownership is a control, not an admin task. In practice, many security teams encounter stale trust and unmanaged certificate sprawl only after an incident, rather than through intentional lifecycle governance.

NHIMG research shows how often lifecycle breakdowns become exposure: Entro Security reports that 91% of former employee tokens remain active after offboarding, a reminder that identity retirement is frequently incomplete across non-human workloads too. Certificate programs fail for the same reason when ownership is split across platform, vehicle engineering, cloud operations, and suppliers without one accountable party.

How It Works in Practice

Accountability should follow the service that uses the certificate, not the certificate authority, PKI vendor, or procurement team. For connected vehicles, the accountable owner is usually the team operating the vehicle platform and its connected services, with explicit participation from update pipeline owners and product security. They are responsible for issuance criteria, renewal windows, revocation triggers, and retirement when a vehicle model, backend, or supplier relationship changes. The practical standard is to define a certificate owner, a technical approver, and an operational executor for every lifecycle step.

That model works best when tied to an inventory of machine identities and certificate consumers. Each certificate should map to a workload, purpose, environment, and expiry date. Rotation and revocation must be built into deployment and OTA processes, because connected vehicles often depend on long-lived systems where manual intervention is too slow. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the Guide to NHI Rotation Challenges are useful references for setting this up in a way that survives personnel changes.

• Assign one owning team for each certificate family, including vehicle, cloud, and supplier certificates.
• Automate renewal and revocation through policy-driven workflows rather than ticket-based manual updates.
• Track certificate purpose, expiry, and dependent services in the same asset inventory as the vehicle or backend workload.
• Require explicit retirement steps when services are decommissioned, rehosted, or transferred.

This is where certificate lifecycle control and broader NHI governance overlap with the Top 10 NHI Issues: overused identities, poor rotation, and missing visibility all turn a routine certificate into a persistent attack path. These controls tend to break down when vehicle programs rely on multiple suppliers with unclear change authority because no single team can revoke trust quickly enough.

Common Variations and Edge Cases

Tighter certificate governance often increases operational overhead, so organisations must balance rapid vehicle release cycles against the need for clear ownership and revocation control. That tradeoff becomes visible in mixed environments where OEM teams, tier-one suppliers, and cloud providers each control part of the trust chain. Best practice is evolving here, but there is no universal standard for whether the vehicle manufacturer, platform operator, or service owner should own every certificate in every domain.

In practice, the answer depends on who can actually rotate, revoke, and retire the identity without waiting on another party. Supplier-issued certificates should still have a named internal owner and an escalation path inside the vehicle program. Shared or embedded credentials are especially risky because they blur accountability and make emergency revocation slow. Where legacy infotainment or roadside-update infrastructure cannot support automated rotation, teams should compensate with shorter validity periods, tighter monitoring, and explicit replacement plans. A useful benchmark is to treat certificates the same way NHI programs treat secrets: if nobody can name the owner, the trust is already weak.

For the strongest lifecycle discipline, security teams should align certificate ownership with the same operating model described in Sisense breach analyses and vendor-neutral NHI guidance from OWASP. Where suppliers resist shared revocation processes, the program should require contract language, evidence of rotation capability, and a tested retirement procedure before deployment.

Related resources from NHI Mgmt Group

• Why does cloud migration expose certificate lifecycle gaps?
• Why does certificate lifecycle management matter so much for PQC readiness?
• What is the difference between runtime protection and NHI lifecycle management?
• How do security teams manage certificate lifecycle risk in mTLS?