Certificate validation is moving to full automation under SC-090

At a glance

What this is: This is an analysis of CA/Browser Forum Ballot SC-090 and its push to retire manual certificate validation methods in favour of automation.

Why it matters: It matters because certificate lifecycle controls sit inside broader identity governance, and teams that still rely on human-mediated validation will need to redesign workflows before those methods disappear.

By the numbers:

• 27 days

👉 Read DigiCert's analysis of SC-090 and automated certificate validation

Context

Certificate validation is the step that proves a domain or IP address can legitimately receive a certificate. In identity programmes, that proof step matters because certificate issuance is only as trustworthy as the validation process behind it, and SC-090 moves the industry away from methods that need email, phone, fax, or crossover checks.

For IAM, NHI, and workload identity teams, the practical issue is not the ballot itself but the governance model it enforces. Manual validation creates approval lag, control inconsistency, and dependency on human availability, while automated validation fits the direction certificate lifecycle management has been moving for several years.

Key questions

Q: How should security teams migrate away from manual certificate validation methods?

A: Start by identifying every certificate workflow that still depends on email, phone, fax, postal, or crossover checks. Then map each one to an automated DNS or HTTP validation path, assign clear ownership for the records or endpoints involved, and test renewal before the deprecation dates force a change. Migration works best when certificate lifecycle tooling owns the process end to end.

Q: Why does certificate validation belong in identity governance discussions?

A: Because validation determines which domain or IP address can receive a trusted certificate, which is a governance decision about authority and lifecycle control. When the process is manual, ownership is harder to audit and renewals are slower. When the process is automated, policy, record integrity, and integration control become the real trust boundary.

Q: What breaks when certificate validation still depends on people?

A: Manual validation introduces delay, inconsistency, and avoidable operational risk when certificate renewals are frequent or distributed across many environments. It also creates a dependency on staff availability at the exact moment validation is needed. Over time, that model does not scale as certificate lifecycle management becomes more continuous and more automated.

Q: Who should own the move to automated certificate validation?

A: Ownership should sit across PKI, platform operations, and identity governance rather than in a single administrative team. The reason is that validation now depends on DNS, HTTP, and lifecycle integrations that cross control boundaries. Shared ownership prevents gaps between certificate policy, domain control, and service uptime.

Technical breakdown

Why manual domain validation no longer scales

Legacy validation methods such as email, phone, fax, and postal checks depend on human participation at the moment a certificate is issued or renewed. That model creates a timing gap between the need for validation and the actual validation event, which is acceptable in low-volume workflows but fragile at scale. Fully automated validation shifts the proof step into machine-readable DNS or HTTP workflows, allowing certificate lifecycle systems to validate on demand without routing tasks through people. The deeper change is governance, not convenience: validation becomes repeatable, auditable, and suitable for high-frequency certificate operations.

Practical implication: map every certificate workflow that still depends on human-mediated validation and plan its migration path before the deprecation windows close.

What automated certificate lifecycle management changes

Automated certificate lifecycle management uses validation methods that can be triggered programmatically when a certificate is requested, renewed, or replaced. DNS-based and HTTP-based validation support this model because they can be verified by systems rather than by staff. That removes a common source of delay and reduces the chance that expired certificates or stale validation records create service disruption. It also makes lifecycle governance more predictable because the same control path can be applied consistently across environments, rather than relying on ad hoc administrative actions.

Practical implication: align certificate issuance, renewal, and revocation workflows with machine-executed validation paths so lifecycle controls stay consistent across environments.

Why CA/browser policy is now an identity governance issue

Certificate validation policy is not isolated infrastructure plumbing. It influences who or what can obtain trusted credentials, how quickly those credentials can be renewed, and whether lifecycle controls remain visible to security teams. As validation becomes more automated, the governance challenge shifts from approving individual requests to managing policy, ownership, and integration points across DNS, HTTP, PKI, and application operations. That is a classic identity governance problem: defining authoritative control paths, removing ambiguous exceptions, and keeping the credential lifecycle aligned to how systems actually operate.

Practical implication: treat certificate validation as part of identity lifecycle governance, not as a one-off PKI admin task.

NHI Mgmt Group analysis

Manual certificate validation is an operational exception that the industry is now closing down. SC-090 makes clear that email, phone, fax, and crossover methods no longer fit a certificate ecosystem built for continuous automation. The ballot is not just removing old options, it is formalising a governance assumption that validation must be machine-executable if certificate lifecycle management is to remain reliable. Practitioners should treat any remaining human-mediated validation path as a shrinking exception, not a durable control.

Automated validation changes the control plane for trust, not just the workflow. Once validation can be performed through DNS or HTTP on demand, the security question moves from manual approval quality to the integrity of the automated path itself. That means ownership of validation records, domain control, and renewal integrations becomes part of the trust boundary. Teams that still think of validation as an administrative step will miss that the real control is now embedded in system design.

Validation by human contact: a certificate governance model built for a world where identity proof and certificate issuance were separated by human time and human labour. That assumption fails as soon as validation is expected to happen continuously, at machine speed, and without operator intervention. The implication is that certificate governance must be redesigned around automated proof, not around manual exception handling.

This policy direction accelerates the convergence of PKI operations and broader identity governance. Certificate lifecycles now look more like other identity lifecycles: they need authoritative policy, clear ownership, and repeatable automation across the full issuance and renewal path. That makes certificate management less of a specialist corner and more of a mainstream IAM and NHI governance concern. The practical conclusion is that certificate teams and identity teams need a shared operating model, not separate control assumptions.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why lifecycle controls often fail at the implementation layer.
• The validation shift reinforces the same governance lesson covered in The State of Secrets in AppSec: control quality depends on operational discipline, not policy intent.

What this signals

Certificate validation is becoming a lifecycle control problem, not an admin convenience problem. Teams that still treat validation as a manual exception will struggle as more of the process moves into automated DNS and HTTP paths. That shift makes ownership of records, endpoints, and renewal integrations part of the control boundary, not peripheral implementation detail.

Trust in certificate operations now depends on the integrity of the automation path. If validation records can be altered without clear governance, the automation that removes human delay can also reduce visibility into how trust is established. Practitioners should watch for hidden dependencies between PKI, DNS, and platform teams, because the weakest link is often the integration handoff.

The broader signal is that identity programmes are converging on the same operating model across people, workloads, and credentials: policy-driven automation with explicit ownership. For readers building mature programmes, that means certificate lifecycle controls should be reviewed alongside other identity lifecycle processes, not left in infrastructure silos.

For practitioners

• Inventory every manual validation dependency Identify certificates that still rely on email, phone, fax, postal mail, or crossover validation methods, then map each one to the service owner and renewal path.
• Prioritise DNS and HTTP validation migration Move high-volume domains and IP-backed services to automated validation methods that can be triggered by certificate lifecycle tools without human intervention.
• Review validation ownership and record integrity Confirm who can modify DNS records, HTTP validation endpoints, and certificate issuance integrations, because those systems now sit inside the trust boundary.

Key takeaways

• SC-090 pushes certificate validation away from human-mediated methods and toward machine-executable workflows.
• Manual validation becomes a lifecycle liability when certificate operations must scale across domains, environments, and renewal cycles.
• Security teams should migrate now to automated DNS or HTTP validation and treat validation ownership as part of identity governance.

Key terms

• Certificate Validation: The process used to prove that a requester controls a domain, IP address, or other certificate subject before issuance. In modern lifecycle management, validation is increasingly automated so that trust can be established programmatically and repeatedly without relying on staff availability or manual contact methods.
• Certificate Lifecycle Management: The set of controls that govern certificate issuance, renewal, replacement, and revocation from start to finish. It becomes an identity governance issue when the validation step, ownership model, and automation path determine whether trusted credentials can be created and maintained consistently.
• Automated Validation: A validation method that can be executed by systems using machine-readable proof paths such as DNS or HTTP rather than email or phone contact. It reduces operational delay and makes certificate approval more repeatable, but it also raises the importance of integration integrity and record ownership.
• Validation Ownership: The assignment of authority for changing the DNS records, HTTP endpoints, or related controls that prove domain control during certificate issuance. Clear ownership matters because automation only stays trustworthy when the systems that supply proof are tightly governed and auditable.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: CA/BF Ballot SC-090: A Step Closer to Fully Automated Validation. Read the original.