CA/B Forum certificate lifespans are forcing machine identity modernization

At a glance

What this is: This is an analysis of how the CA/B Forum’s shorter certificate lifespans are turning certificate management into a broader machine identity modernization problem.

Why it matters: IAM and NHI teams need to treat certificate renewal pressure as a trigger to fix visibility, automation, and lifecycle control across the full machine identity estate.

By the numbers:

• Beginning in 2026, certificate validity windows shrink to 200 days, then 100 days in 2027 and 2028, and 47 days in 2029.

👉 Read CyberArk's analysis of the CA/B Forum mandate and machine identity modernization

Context

Machine identity management covers the certificates, keys, workloads, and service identities that software uses to authenticate and trust other systems. This article argues that shorter certificate lifespans are not just a renewal problem, but a forcing function for broader machine identity governance across internal PKI, SSH keys, workloads, and AI identities.

That matters because the manual certificate model was already fragile before the mandate. For IAM and NHI teams, the question is no longer whether automation is useful, but whether the organisation can establish visibility, ownership, and lifecycle control before shorter renewal windows turn routine work into outages.

Key questions

Q: How should security teams respond to shorter certificate lifespans?

A: They should treat shorter lifespans as an automation mandate, not as a reason to add more manual review. The immediate priority is to inventory all machine identities, remove ticket-driven renewals, and enforce policy-based issuance and revocation. That approach reduces outages and creates a foundation for broader lifecycle governance.

Q: What is the difference between certificate management and machine identity management?

A: Certificate management focuses on issuance, renewal, and expiration of certificates. Machine identity management is broader, covering certificates, keys, service accounts, workloads, and related ownership, visibility, and offboarding controls. In practice, the second model is the one that scales because it addresses the full identity lifecycle instead of one artifact class.

Q: Why do shorter certificate lifecycles increase operational risk?

A: Shorter lifecycles increase risk because they compress the time available for human coordination, which exposes weak inventory, unclear ownership, and inconsistent deployment paths. When renewal windows tighten, any manual dependency can become an outage. Automation reduces that risk by making lifecycle actions predictable and repeatable.

Q: Should organisations prioritise internal PKI after automating external certificates?

A: Yes, because external certificates are only the visible edge of the problem. Internal PKI often carries deeper operational risk due to legacy workflows, hidden dependencies, and less consistent governance. Once external renewal is automated, extending the same controls inward is the logical next step for durable machine identity management.

Technical breakdown

Why shorter certificate lifecycles break manual machine identity operations

Certificate validity windows are collapsing from a year-scale process into a much tighter renewal cycle. That change multiplies the operational load on discovery, issuance, deployment, validation, and revocation. If certificate handling still depends on tickets, spreadsheets, and human follow-up, the failure mode is predictable: missed renewals, service interruptions, and inconsistent trust states. The technical problem is not certificates alone. It is the coupling of identity lifecycle work to human throughput. Once the volume rises, every hidden dependency inside internal PKI, build pipelines, and runtime services becomes a source of operational risk.

Practical implication: Treat certificate renewal as an automation and ownership problem, not a calendar reminder problem.

How machine identity sprawl extends beyond public TLS

Public TLS certificates are only one layer of the machine identity estate. Real environments also include internal certificates, SSH keys, service accounts, workload identities, and emerging AI agent identities. These identities often lack a shared inventory, consistent expiry controls, or clear ownership. That creates fragmented trust boundaries, where one team may automate external certificates while another still manages internal credentials manually. The result is uneven security posture and blind spots in incident response. Modern machine identity management has to cover the full lifecycle, from discovery and issuance through rotation, renewal, and offboarding.

Practical implication: Build a unified inventory before expanding automation into additional identity types.

What automation changes in certificate and identity governance

Automation changes the control plane for machine identities. Instead of each renewal being an individual human event, policy defines when identities are created, how long they live, where they are deployed, and when they are revoked. That reduces variation and makes compliance continuous rather than episodic. It also creates a foundation for extending lifecycle control into higher-risk areas such as SSH governance, workload identity, and code signing. The architectural shift is important because the organisation stops treating certificates as isolated artifacts and starts treating them as governed identities with lifecycle state.

Practical implication: Use automation to enforce lifecycle policy, not just to speed up renewals.

Threat narrative

Attacker objective: The attacker objective is to exploit operational weakness in machine identity lifecycle management to disrupt availability or weaken trust controls.

1. Entry occurs through missed or delayed certificate renewal when a manual workflow fails to complete on time.
2. Escalation follows when dependent services continue running with stale trust assumptions or inconsistent certificate states.
3. Impact is service outage, trust failure, or emergency remediation across the machine identity estate.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Shortened certificate lifecycles expose the identity blast radius problem. The issue is not merely that renewals happen more often. It is that every unmanaged dependency between certificates, services, and deployment pipelines now becomes more visible and more dangerous. Teams that still rely on manual renewals are carrying hidden identity blast radius across production systems. The practical conclusion is that lifecycle governance must be treated as a containment problem, not a clerical task.

The CA/B Forum mandate accelerates the shift from certificate management to machine identity management. Once a team automates external TLS, the gap between external and internal identity operations becomes impossible to ignore. That is where fragmented ownership, inconsistent policy, and legacy workflows start to create avoidable risk. The field is moving toward integrated NHI governance, and certificate automation is only the first layer of that model. Practitioners should use the mandate to widen scope, not narrow it.

Manual certificate operations are now a structural liability, not a temporary inefficiency. Shorter validity windows turn human-scale processes into recurring failure points. This is the point at which spreadsheet governance stops being tolerable, because the control objective is no longer just renewal but continuity of trust. Organisations that delay automation are choosing operational fragility. The right response is to replace exception handling with policy-driven lifecycle control.

Machine identity modernisation will increasingly be measured by coverage, not intent. It is easy to say an organisation has a strategy for certificates, but much harder to prove that the strategy covers internal PKI, SSH, workloads, code signing, and AI identities. Coverage is what separates partial compliance from durable governance. The practitioner takeaway is simple: if the lifecycle model does not span all machine identity classes, it is incomplete.

Compliance pressure is becoming the delivery mechanism for broader NHI governance. The mandate creates urgency, but the real value comes from using that urgency to modernise identity foundations. That means aligning ownership, inventory, automation, and revocation processes across the machine identity stack. Teams that use the window well will reduce operational churn and improve resilience. The field should expect certificate governance to become the entry point for broader NHI control programs.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how incomplete lifecycle governance still is.
• Pair renewal automation with the NHI Lifecycle Management Guide to extend control from certificates into provisioning, rotation, and offboarding.

What this signals

Identity blast radius will become the more useful metric than certificate count. As certificate lifecycles shorten, the practical question is how many systems depend on each identity and how quickly those dependencies can be remediated. Teams should expect executives to care less about renewal volume and more about outage risk, ownership clarity, and control coverage across the full machine identity estate.

The broader signal is that NHI governance will increasingly start with a compliance event and end with an operating model change. With 71% of NHIs not rotated within recommended time frames, according to the Ultimate Guide to NHIs, the challenge is not isolated certificates but a structural gap in lifecycle discipline. Practitioners should prepare to measure coverage, automation depth, and revocation speed as board-level metrics.

For practitioners

• Map the full machine identity estate Inventory external certificates, internal PKI, SSH keys, workload identities, and AI-related identities in one ownership model before renewal pressure increases.
• Automate renewal and deployment workflows Remove ticket-based renewal handling for high-volume certificates and replace it with policy-driven issuance, renewal, validation, and deployment.
• Extend lifecycle controls beyond public TLS Use the current mandate to expand automation into internal PKI and other machine identity classes so that controls are consistent across the estate.
• Tie ownership to revocation and offboarding Make every machine identity traceable to a business owner or service owner, with explicit revocation and offboarding triggers for decommissioned systems.

Key takeaways

• Shorter certificate lifespans turn machine identity management into a recurring operational risk, not a periodic renewal task.
• The real governance gap is broader than public TLS, because internal PKI, SSH, workloads, and AI identities remain part of the same lifecycle problem.
• Automation matters because it converts fragmented renewal work into consistent lifecycle control across the full machine identity estate.

Key terms

• Machine Identity Management: Machine identity management is the discipline of governing non-human credentials such as certificates, keys, service accounts, and workload identities. It covers discovery, ownership, issuance, rotation, renewal, revocation, and offboarding so software trust can be controlled across its full lifecycle.
• Certificate Lifecycle Automation: Certificate lifecycle automation is the use of policy and tooling to issue, renew, deploy, validate, and revoke certificates without manual ticket handling. It reduces expiry risk, improves consistency, and helps organisations keep trust states current as certificate windows shorten.
• Identity Blast Radius: Identity blast radius is the amount of systems, services, and data exposed when one machine identity is compromised or mismanaged. The wider the dependency set, the larger the operational and security impact, which is why ownership and lifecycle controls matter as much as authentication strength.
• Internal PKI: Internal PKI is the private certificate infrastructure an organisation uses for internal services, workloads, and trusted communications. It often carries more hidden dependency than public TLS because ownership, renewal paths, and exception handling may be less visible and less automated.

Deepen your knowledge

Machine identity lifecycle automation is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is moving from manual renewals to policy-driven governance, it is worth exploring.

This post draws on content published by CyberArk: The CA/B Forum mandate and machine identity modernization. Read the original.