By NHI Mgmt Group Editorial TeamPublished 2026-06-30Domain: Workload IdentitySource: eMudhra

TL;DR: Certificate lifecycle management failures have caused global outages, and the move toward 47-day TLS certificates by 2029 will multiply renewal pressure by nearly 8x, according to eMudhra. Manual tracking, partial discovery, and non-native automation are no longer compatible with enterprise-scale certificate operations, especially as post-quantum reissuance approaches.


At a glance

What this is: This is an analysis of certificate lifecycle management as the operational discipline that keeps digital certificates discoverable, renewable, and revocable before expiry disrupts authentication and availability.

Why it matters: It matters because identity teams now have to treat certificates as governed machine identities, with the same lifecycle rigor they apply to service accounts, secrets, and other non-human access paths.

By the numbers:

👉 Read eMudhra's guide to certificate lifecycle management and 47-day TLS readiness


Context

Certificate lifecycle management, or CLM, is the set of controls that discover, issue, renew, monitor, and revoke certificates across an enterprise estate. The primary keyword here is certificate lifecycle management, because the article’s central claim is that manual tracking no longer works when renewal cycles compress and certificate volume rises.

The governance problem is broader than outages. Certificates now sit inside workload identity, internal PKI, code signing, and cloud automation flows, so unmanaged expiry becomes an identity availability issue as much as a cryptographic one. For teams building machine identity programmes, CLM is the operating layer that keeps certificate trust from turning into hidden downtime.

The article’s starting point is typical for large estates: teams often know certificates matter, but still underestimate how quickly discovery gaps, renewal storms, and reissuance demands can outgrow spreadsheets. That is why lifecycle governance has become a board-visible identity control, not an admin task.


Key questions

Q: How should security teams govern certificate lifecycle management at scale?

A: They should treat certificates as governed machine identities, with ownership, discovery, issuance, renewal, revocation, and policy enforcement all tied together. The practical test is whether a team can renew, replace, and revoke certificates without depending on spreadsheets or human memory. If that is not true, the lifecycle programme is already behind operational reality.

Q: Why do certificate expiry failures keep causing outages?

A: Because many organisations still depend on partial inventories and manual renewal workflows, which do not keep pace with large certificate estates or compressed lifetimes. Expiry problems are usually not cryptographic failures. They are lifecycle failures that show the organisation did not know what existed, where it lived, or when it needed replacement.

Q: What breaks when certificate discovery is incomplete?

A: When discovery is incomplete, renewal planning is built on missing data, so the certificates most likely to cause outages are the ones no one knew were there. That creates blind spots in ownership, dependency mapping, and revocation readiness. The result is a lifecycle process that looks controlled on paper but fails in production.

Q: When should organisations move from manual to automated certificate management?

A: They should move as soon as renewal volume, service criticality, or compliance pressure makes human tracking unreliable. A 47-day cadence makes automation a baseline requirement, not an optimisation. The real decision is whether to keep absorbing outage risk or redesign the process before the next renewal storm hits.


Technical breakdown

Why certificate discovery fails before renewal does

Continuous discovery is the first control that breaks at scale because most enterprises do not have a complete inventory of certificates across cloud vaults, load balancers, internal CAs, and network endpoints. If discovery only sees what a platform itself issued, the organisation is managing a partial trust map, not an estate. In certificate operations, the hidden certificate is usually the one that expires in production. Discovery must therefore span the full certificate population, including shadow certificates and nonstandard deployment locations.

Practical implication: treat undiscovered certificates as a control failure, not an exception, and validate whether discovery reaches every environment where certificates can live.

How ACME, EST, and SCEP change certificate throughput

Protocol-native automation is what allows certificate lifecycle management to survive compressed renewal windows. ACME, EST, and SCEP remove manual CSR handling, validation, issuance, and deployment from the renewal path, which is essential when renewal frequency jumps from annual cycles to many times per year. Without native protocol support, teams end up wrapping scripts around a process that should be machine-driven. That creates fragility, inconsistent deployment, and avoidable expiry risk.

Practical implication: verify that renewal flows are native to the certificate protocol stack, not dependent on brittle custom scripts or one-off operational workarounds.

Why crypto-agility is now part of certificate governance

Crypto-agility means the certificate estate can move between algorithms without rebuilding the operating model. That matters because hybrid certificates and post-quantum reissuance will require estates to replace algorithms at scale while preserving service continuity. Certificate lifecycle management is no longer only about expiry dates. It is also about whether the platform can reissue, rebind, and govern certificates when the cryptographic baseline changes under it.

Practical implication: evaluate whether your certificate governance can handle algorithm change as a routine lifecycle event, not an exceptional migration project.



NHI Mgmt Group analysis

Certificate lifecycle management is now machine identity governance, not infrastructure hygiene. The article correctly frames certificate expiry as an operational failure, but the deeper issue is governance scope. Certificates are non-human identities when they authenticate workloads, services, and devices, so lifecycle control must be treated as part of NHI oversight. Practitioners should stop treating CLM as a certificate-only admin function and align it with identity governance.

Manual certificate tracking is a structural control gap, not an efficiency problem. The article’s renewal math shows why spreadsheets collapse under shorter lifetimes, but the real failure is the assumption that humans can reliably maintain certificate state at scale. Once renewal cadence accelerates, manual process debt becomes outage debt. The practitioner takeaway is that lifecycle governance must be engineered for machine speed, not review-cycle speed.

Policy-as-code is the only governance model that scales with certificate volume. The source material makes a strong case for expressing validity periods, algorithms, and issuance rules in code rather than in documents or PDF evidence packs. That aligns with NIST CSF governance expectations and NIST SP 800-53 control discipline around access, authentication, and configuration integrity. Practitioners should treat certificate policy as an enforceable control surface, not a reporting exercise.

47-day TLS is a stress test for every certificate programme assumption. The move to shorter public certificate lifetimes does not just increase workload. It forces organisations to prove they know where certificates are, who owns them, how they renew, and whether replacement can happen without human intervention. That is a direct test of identity lifecycle maturity, and teams that fail it will discover it through downtime.

From our research:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
  • That governance gap is part of why Guide to NHI Rotation Challenges remains relevant for teams trying to replace manual renewal with lifecycle discipline.

What this signals

Certificate programmes are converging with broader NHI governance. Once certificates authenticate workloads, devices, and automation paths, they stop being a niche PKI concern and become part of identity lifecycle governance. Teams that already track ownership, rotation, and offboarding for non-human identities should apply the same operating discipline here, because the lifecycle failure modes are converging.

The shift to shorter validity windows will expose which programmes still rely on manual exception handling. If renewal success depends on a handful of admins, the estate is already carrying hidden availability debt. The right response is to validate ownership, automation coverage, and recovery paths before the next cadence change arrives.


For practitioners

  • Map every certificate population to an owner Build a complete inventory that includes public TLS, internal PKI, code signing, device identity, and workload certificates. Require an accountable owner for each certificate so expiry, revocation, and reissuance do not depend on tribal knowledge.
  • Validate renewal across native protocols Test whether your renewal process works through ACME, EST, or SCEP without custom scripts in the middle. If renewal depends on manual deployment steps, the estate will not survive shorter lifecycle windows.
  • Separate discovery from issuance claims Check whether the platform can find certificates it did not issue, including certificates from external public CAs and unmanaged network segments. Discovery that only reports on self-issued certificates is not full lifecycle visibility.
  • Treat algorithm migration as a lifecycle event Assess whether your certificate processes can reissue and redeploy certificates when algorithm requirements change. Post-quantum transition planning should be built into lifecycle governance now, not left to a future project.

Key takeaways

  • Certificate expiry is an identity governance problem when certificates authenticate services, workloads, and devices.
  • Shorter lifetimes turn manual tracking into a scalability and availability risk, not just an operational inconvenience.
  • Discovery, renewal automation, and policy enforcement must operate as one lifecycle control surface if CLM is going to keep pace.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate renewal and revocation failures are core non-human identity lifecycle risks.
NIST CSF 2.0PR.AC-4Certificate ownership and access governance map directly to controlled identity permissions.
NIST SP 800-53 Rev 5IA-5Authenticator management covers certificate lifecycle, renewal, and revocation discipline.
NIST Zero Trust (SP 800-207)Zero Trust relies on continuously valid machine trust and timely credential renewal.
CIS Controls v8CIS-5 , Account ManagementCertificate ownership and lifecycle tracking align with disciplined account and identity management.

Extend account management discipline to certificate identities and ensure every certificate has an owner and revocation path.


Key terms

  • Certificate Lifecycle Management: The end-to-end process for discovering, issuing, renewing, monitoring, and revoking certificates across an organisation. In practice, CLM is the control surface that keeps machine trust from collapsing when certificate volume, renewal frequency, or cryptographic requirements change.
  • Crypto-Agility: The ability to change cryptographic algorithms without redesigning the identity or certificate operating model. For certificate programmes, crypto-agility means hybrid issuance, automated reissuance, and policy enforcement can adapt when algorithm standards or regulatory expectations shift.
  • Certificate Discovery: The process of finding every certificate in use, including unmanaged, shadow, and externally issued certificates. Discovery is the foundation of CLM because renewal, revocation, and compliance all fail when the estate is only partially visible.
  • Policy as Code: The practice of defining certificate rules in machine-readable policy instead of relying on documents or manual review. In certificate governance, policy as code makes validity periods, algorithms, and issuance constraints enforceable at the point of action.

What's in the full article

eMudhra's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step evaluation criteria for certificate lifecycle platforms that go beyond spreadsheet replacement.
  • Protocol-specific renewal considerations for ACME, EST, and SCEP in enterprise environments.
  • Practical guidance on handling hybrid PQC issuance and reissuance during the transition window.
  • Buyer questions for separating partial discovery from real estate-wide certificate visibility.

👉 The full eMudhra guide covers renewal throughput, hybrid PQC readiness, and platform evaluation tests.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org