They should inventory every certificate that uses clientAuth EKU, determine which identities and workloads depend on it, and move those dependencies to a dedicated enterprise CA or another controlled trust hierarchy. The key is to treat certificate purpose as an identity governance decision, not a convenience choice driven by legacy PKI habits.
Why This Matters for Security Teams
Client-auth certificates in a public CA environment are not just transport artifacts. They are bearer-capable identity material that can silently authorize workloads, partners, browsers, and automation paths across trust boundaries. Once clientAuth EKU appears on a publicly trusted certificate, the certificate can outlive the business case, spread across systems, and become difficult to inventory or revoke with confidence. That makes certificate purpose an identity governance decision, not a PKI convenience choice. NIST guidance on identity and access control in NIST SP 800-53 Rev 5 Security and Privacy Controls supports treating authentication material as controlled access infrastructure, not a passive configuration detail.
This matters because public CA trust reduces the organisation’s ability to constrain who can present the certificate, where it can be used, and how quickly that trust can be withdrawn. In NHI terms, client-auth certificates behave like high-value machine identities, especially when they are embedded in app-to-app flows or external integrations. NHIMG’s broader research on machine identity risk shows how often ownership, lifecycle control, and visibility break down in practice, which is why this problem should be handled as governance first and PKI second. In practice, many security teams encounter certificate sprawl only after a renewal failure, an audit request, or an incident has already exposed the hidden dependency.
How It Works in Practice
The right response is to build an inventory of every certificate that includes the clientAuth EKU, then map each certificate to the identity, workload, or integration that depends on it. That inventory should answer four questions for each item: who issued it, what trust chain it relies on, where it is installed, and what business function fails if it is removed. If the certificate is being used to prove identity to internal services, the stronger pattern is to move that dependency to a controlled enterprise CA or another trust hierarchy that the organisation can rotate, constrain, and monitor.
For implementation, teams usually need a staged migration:
- Classify certificates by usage, not just issuer, because public CA trust can mask internal machine-to-machine dependencies.
- Separate human-facing TLS from workload authentication, since clientAuth often ends up reused for both.
- Replace long-lived static certificates with short-lived issuance where the platform supports it.
- Bind issuance to workload identity and policy, so the certificate is minted only for the approved system and context.
- Log issuance, use, and revocation events centrally to make certificate sprawl visible before expiry becomes an outage.
For deeper NHI framing, NHIMG’s Ultimate Guide to NHIs — What are Non-Human Identities is useful for distinguishing machine identity governance from legacy PKI operations. The operational goal is to ensure every client-auth certificate has an owner, a purpose, and a revocation path that is realistic under incident pressure. These controls tend to break down in environments with unmanaged legacy applications, embedded appliances, or external partner integrations because certificate replacement is tied to vendor dependencies that cannot be changed quickly.
Common Variations and Edge Cases
Tighter certificate governance often increases migration effort and can temporarily raise operational risk, so organisations must balance faster cleanup against service continuity. That tradeoff is especially visible when public CA client-auth certificates are used by third parties, older appliances, or applications that cannot support modern workload identity patterns.
Current guidance suggests treating these edge cases as exceptions with time limits, not permanent carve-outs. If a certificate must remain in a public CA trust chain, it should still be catalogued, assigned to a business owner, and monitored for expiry, usage drift, and revocation readiness. Where feasible, shift the trust boundary inward by moving authentication to mTLS with a private CA, federated workload identity, or a dedicated enterprise trust hierarchy. This is also where the governance gap becomes visible: certificates issued for convenience often outlive the integration they were meant to support, creating hidden dependencies that are hard to trace under incident response.
NHIMG’s Sisense breach and related machine identity research illustrate the broader lesson that identity material reused across systems can become an escalation path when ownership is unclear. In public CA environments, the hardest cases are not the well-documented certificates, but the forgotten ones embedded in legacy scripts, third-party agents, and vendor-managed connectors where revocation can break production faster than the team can replace it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Client-auth cert sprawl is a lifecycle and ownership problem for NHIs. |
| OWASP Agentic AI Top 10 | Autonomous systems often rely on certs as workload identity and need runtime control. | |
| CSA MAESTRO | MAESTRO addresses agent and workload trust boundaries that certificates implement. | |
| NIST AI RMF | AI RMF governance applies when certificate-backed identities support autonomous systems. | |
| NIST CSF 2.0 | PR.AC-1 | Identity and authentication controls govern which certificates can access services. |
Inventory cert-based NHIs, assign owners, and rotate or retire clientAuth credentials on a defined schedule.