CA/B Forum certificate limits are forcing machine identity modernization

At a glance

What this is: The article argues that shrinking public TLS certificate lifespans are turning certificate renewal into a machine identity management modernization trigger.

Why it matters: For IAM and NHI teams, shorter certificate lifecycles expose whether discovery, rotation, and offboarding are automated or still spreadsheet-led.

By the numbers:

• The CA/B Forum’s approved schedule reduces the maximum validity period for public TLS certificates to 200 days in 2026, 100 days in 2027, and 47 days in 2029.
• 69% of organisations now have more machine identities than human ones.
• 74% say machine identity management complexity has increased significantly in the past two years.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

👉 Read Palo Alto Networks' analysis of CA/B Forum certificate validity changes

Context

Public TLS certificate lifespans are shrinking, and that changes the economics of machine identity management. When renewal windows compress, manual workflows stop being merely inefficient and become a direct operational risk for NHI governance, certificate lifecycle management, and workload identity administration.

The article frames this as a modernization catalyst rather than a narrow compliance update. That is the right lens for practitioners: shorter certificate timelines only help if teams use them to fix discovery, ownership, automation, and offboarding across the broader machine identity estate, not just the browser-facing edge.

Key questions

Q: How should teams respond to shorter TLS certificate validity windows?

A: They should treat shorter validity windows as a lifecycle automation mandate, not a narrow renewal problem. The first step is to inventory every certificate, assign ownership, and automate issuance, renewal, deployment, and revocation. Without those controls, shorter lifespans simply increase operational risk and outage exposure.

Q: Why do shorter certificate lifetimes expose NHI governance gaps?

A: Because certificates are only one part of machine identity governance, and shortening their lifespan reveals whether organisations can manage discovery, ownership, and renewal at scale. If the process depends on spreadsheets or manual handoffs, the underlying NHI problem is broader than certificate expiry.

Q: What is the difference between certificate management and machine identity management?

A: Certificate management focuses on issuing, renewing, and revoking certificates, while machine identity management covers the full lifecycle of service accounts, workload identities, keys, tokens, and certificates. In practice, teams need the broader model because a secure certificate process does not automatically secure the rest of the non-human identity estate.

Q: When does certificate automation matter most for security teams?

A: It matters most when renewal failures can interrupt critical services, when the identity estate is growing faster than headcount, or when compliance deadlines are forcing change. At that point, automation is no longer a convenience. It is the only sustainable way to maintain trust and availability.

Technical breakdown

Why shorter certificate lifecycles break manual renewal models

Public TLS certificates used to be manageable with ticket-based renewal because the renewal window was long enough to absorb delay, handoffs, and exceptions. As validity periods shrink, the same manual process creates more operational churn, more touchpoints, and more opportunities for expiration. The technical problem is not only certificate issuance. It is the lack of lifecycle orchestration across discovery, renewal, deployment, validation, and revocation. In NHI terms, every certificate is a machine identity with a lifecycle, ownership, and access scope. When those elements are not continuously managed, the organisation inherits outage risk disguised as routine administration.

Practical implication: Treat certificate renewal as a lifecycle automation problem, not a calendar task.

How machine identity sprawl extends beyond public TLS

Public certificates are only one layer of the machine identity estate. Internal PKI, SSH keys, workload identities, and service-to-service credentials create a much larger governance surface, often with weaker visibility and less accountability. That matters because organisations can automate browser certificates and still leave the highest-risk identities unmanaged. The architectural issue is fragmented control planes: each identity type has different issuance, rotation, and verification logic, which makes unified governance difficult. NHI security improves when teams treat all machine credentials as part of one inventory and one policy model, even if the underlying systems differ.

Practical implication: Build a single inventory and governance model for every machine identity type.

What automation changes in certificate management architecture

Automation shifts certificate management from reactive renewal to continuous control. Instead of waiting for expiry alerts, systems can discover certificates, classify them by ownership and business criticality, enforce renewal policies, and validate deployment outcomes. That reduces outage risk, but it also creates a foundation for adjacent controls such as secret rotation, workload attestation, and zero standing privilege for machine identities. The architecture choice is important: automation should not just renew faster, it should produce auditable state, clear ownership, and policy consistency across environments.

Practical implication: Prioritise automation that proves ownership and deployment success, not just renewal speed.

Threat narrative

Attacker objective: The objective is not always theft. In this pattern, the attacker or failure mode seeks to disrupt trusted machine authentication and force operational instability.

1. Entry via certificate expiry or failed renewal in a manual workflow that no system catches in time.
2. Escalation through operational disruption when dependent services lose trusted authentication and fail closed or fail inconsistently.
3. Impact through service outage, transaction interruption, or emergency bypasses that widen the identity attack surface.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The real issue is not certificate length. It is lifecycle debt in machine identity governance. Shorter validity periods expose the gap between policy and operational reality. If teams cannot discover, classify, renew, and revoke machine credentials reliably, they do not have governance, they have periodic cleanup. Practitioners should use this change to measure lifecycle maturity, not just compliance readiness.

Public TLS changes will force broader NHI modernization whether teams plan for it or not. Organisations that stop at browser-facing certificates will preserve the same fragility in internal PKI, workload identities, and SSH keys. That creates a false sense of progress. The correct response is to modernize the whole machine identity estate together, because fragmented fixes only move the bottleneck.

Certificate automation is becoming a prerequisite for Zero Trust Architecture in machine environments. Zero Trust assumes continuous verification, and that assumption breaks when certificates are renewed manually, inconsistently, or without ownership. If the trust fabric cannot refresh itself on schedule, the architecture remains policy-heavy and operationally brittle. Teams should align certificate workflows with zero trust objectives, not treat them as separate projects.

Automation will shift machine identity management from an audit exercise to an operational control plane. That is the important category change. Once discovery and renewal are machine-driven, organisations can extend the same discipline to secrets, service accounts, and workload identities. The practitioners who benefit most will be the ones who use compliance pressure to build durable identity operations, not one-off remediation campaigns.

Modernisation here is a signal about the market, not just the mandate. The category is moving toward unified lifecycle governance across all non-human identities, because point fixes no longer absorb the scale of modern environments. Security teams should expect stronger convergence between certificate management, secrets governance, and workload identity tooling. The practical conclusion is to invest in platforms and processes that reduce identity fragmentation.

From our research:

• 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
• 57% of organisations lack a complete inventory of their machine identities, which makes ownership and renewal governance difficult at scale.
• For a broader view of lifecycle risk, see NHI Lifecycle Management Guide for a practical model across provisioning, rotation, and offboarding.

What this signals

Lifecycle compression will expose every weak link in certificate ownership. As renewal windows shrink, teams should expect more pressure on discovery, approvals, and service validation. The practical response is to reduce manual touchpoints now and align certificate operations with the same control discipline used for other NHI types.

With 62% of secrets duplicated and stored in multiple locations, according to The 2025 State of NHIs and Secrets in Cybersecurity, certificate modernization should not be treated in isolation. The same operational drift that spreads secrets also spreads unmanaged trust material across teams and environments.

Identity blast radius: when renewal or ownership fails in one part of the machine identity estate, the effect spreads across dependent systems. Teams should use the current certificate shift to connect certificate governance, secrets governance, and workload identity under one operational model.

For practitioners

• Audit the full certificate estate Build a current inventory of external certificates, internal PKI, service certificates, and application-owned trust anchors. Map each item to an owner, renewal method, and dependency chain so expiration risk is visible before it becomes an outage.
• Automate renewal and deployment workflows Replace ticket-driven renewals with policy-based automation that handles issuance, validation, deployment, and revocation. Make success criteria explicit, including post-renewal service checks and rollback paths for failed updates.
• Expand controls beyond public TLS Use the CA/B Forum change as the trigger to review SSH keys, workload identities, and embedded secrets alongside certificates. The goal is to avoid creating a modern front end while leaving the rest of the identity estate unmanaged.
• Tie certificate governance to zero trust Require continuous verification of certificate status, ownership, and trust scope. Align renewal policy with Zero Trust Architecture so identity freshness becomes a standing control rather than an emergency response.
• Measure operational readiness, not just compliance Track mean time to renew, percentage of automated renewals, number of manually handled exceptions, and outage events tied to lifecycle failure. Those metrics show whether modernization is real or just documented.

Key takeaways

• Shrinking certificate lifespans are exposing whether machine identity governance is automated or still manual.
• The scale of NHI sprawl means certificate renewal cannot be treated as a standalone task.
• Teams that use this mandate to unify lifecycle controls will reduce outage risk and strengthen trust operations.

Key terms

• Machine Identity: A machine identity is a credentialed digital identity used by software, services, or devices rather than a person. It includes certificates, tokens, API keys, workload identities, and service accounts, all of which require ownership, lifecycle control, and monitoring to avoid silent trust sprawl.
• Certificate Lifecycle Management: Certificate lifecycle management is the process of discovering, issuing, renewing, rotating, validating, and revoking certificates across an environment. In mature NHI programmes, it is treated as an automated control plane because expiry failures can interrupt authentication and create avoidable outages.
• Workload Identity: Workload identity is the way a software workload proves who it is to other systems without relying on static secrets. It is central to modern NHI security because it replaces long-lived credentials with verifiable, policy-driven trust that can be managed across cloud and on-premises environments.
• Identity Blast Radius: Identity blast radius is the amount of operational or security damage that can occur when one credential, identity, or trust relationship fails. The concept helps practitioners evaluate how far a certificate outage, token leak, or ownership gap can spread across connected services.

Deepen your knowledge

Machine identity modernization and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are turning certificate pressure into broader NHI control design, it is worth exploring.

This post draws on content published by Palo Alto Networks: The CA/B Forum Mandate, a catalyst for modernizing machine identity management. Read the original.