DigiCert acquisition of Vercara reshapes digital trust governance

At a glance

What this is: DigiCert’s planned acquisition of Vercara combines DNS and certificate management with application and network protection into a broader digital trust platform.

Why it matters: For IAM, NHI, and infrastructure teams, the deal matters because trust validation, domain control, and service resilience are increasingly coupled, changing how access, assurance, and operational ownership are governed.

By the numbers:

• Vercara’s UltraDNS service ensures 100% website availability along with built-in security for superior protection.

👉 Read DigiCert's acquisition announcement covering Vercara and digital trust consolidation

Context

Digital trust is the set of controls that proves a user, device, website, or service is legitimate and keeps that trust valid over time. In this case, the acquisition signal is about consolidating DNS, certificate management, and application protection into a single operational plane for internet-facing infrastructure.

For identity and security teams, the governance question is how much assurance now depends on one provider’s combined control of name resolution, validation, and security enforcement. That affects enterprise trust architecture even when the work sits outside classic IAM tooling, because the failure domain now spans authentication, availability, and online trust.

The primary subject here is platform consolidation in trust infrastructure, not a new identity standard or a breach event. The typical starting position is the one most enterprises already live with: separate tools for certificate lifecycle, DNS, and web protection, joined operationally but not governed as one chain.

Key questions

Q: How should security teams govern DNS and certificate management together?

A: Security teams should govern DNS and certificate management as one trust chain because domain control validation, issuance, and service reachability are operationally linked. Separate ownership can create gaps between approval, validation, and recovery. The right model aligns change control, privileged access, and rollback procedures so a failure in one layer does not invalidate the others.

Q: When does a consolidated trust platform create more risk than it removes?

A: A consolidated trust platform creates more risk when one provider or one admin plane controls validation, routing, and protective enforcement without strong segregation of duties. That concentration reduces handoffs, but it also increases blast radius. If recovery, break-glass access, and change approvals are not isolated, the governance benefit can be outweighed by systemic exposure.

Q: What should enterprises review before merging DNS, WAF, and certificate controls?

A: Enterprises should review ownership boundaries, privileged access, recovery dependencies, and audit coverage before merging DNS, WAF, and certificate controls. The key question is whether the new operating model still provides independent checks on validation and configuration. If not, the combined platform may be easier to run but harder to govern under stress.

Q: How does trust infrastructure affect identity governance programmes?

A: Trust infrastructure affects identity governance because certificates, DNS, and edge controls establish whether systems can be verified and reached at all. That makes them part of the broader identity and access control environment, especially for workload identity and internet-facing services. Teams should include these dependencies in lifecycle, change, and incident response processes.

Technical breakdown

DNS control and certificate validation as one trust path

DNS and TLS are often treated as separate layers, but in practice they form a shared trust path. Domain control validation relies on DNS responses, while certificate issuance depends on proving control of a domain or service. When those functions sit in one operational stack, the assurance model becomes tighter, but the dependency chain also becomes more concentrated. A failure in DNS governance can therefore affect certificate issuance, service availability, and trust continuity at the same time. For security teams, the architectural issue is not just integration, but whether one control plane now defines both identity proof and service reachability.

Practical implication: Map DNS ownership, certificate authority workflows, and validation exceptions as one control chain instead of separate tickets.

Centralised trust management and the hidden concentration risk

Centralised trust platforms reduce manual handoffs, but they also concentrate decision rights. That matters because trust services do not just protect traffic. They define whether users, applications, and devices can be verified at all. In this deal, the operational promise is fewer manual steps for provisioning and configuration, yet the governance tradeoff is a larger blast radius if policy, identity proofing, or configuration drift occurs in the shared platform. Enterprise architects should treat this as a control concentration question, not a feature discussion.

Practical implication: Review segregation of duties, administrative boundaries, and recovery dependencies before consolidating trust services.

Digital trust now includes resilience, not just authentication

The article shows a broader shift in how digital trust is being packaged. DNS, DDoS, WAF, API protection, and certificate management now sit in the same conversation because organisations need trust services that hold under attack, not only during normal issuance. That changes how programme owners should think about governance: certificate lifecycle, availability, and threat containment are no longer neatly separable. For practitioners, the important mechanism is that trust has become an operational security domain, not a single product category.

Practical implication: Build governance around service continuity, validation integrity, and incident response for trust infrastructure together.

Threat narrative

Attacker objective: The attacker aims to interrupt, redirect, or undermine trust in internet-facing services and the identity signals those services present to users and systems.

1. Entry occurs when attackers target internet-facing trust infrastructure such as DNS, certificates, or web application layers that underpin an organisation’s online presence.
2. Escalation follows if control-plane weaknesses, misconfiguration, or service disruption let an attacker interfere with domain validation, traffic routing, or application protection.
3. Impact is service outage, trust erosion, or compromise of public-facing assets that depend on the affected trust stack.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Digital trust is becoming a control plane, not a point product. The DigiCert and Vercara combination reflects a market move toward bundling DNS, certificate lifecycle, and edge protection into one governance surface. That matters because the assurance chain now spans domain control, availability, and trust validation in one operational path. Practitioners should evaluate whether their current ownership model still matches that convergence.

Control consolidation reduces handoffs but increases blast radius. When certificate issuance, DNS configuration, and web protection sit closer together, the work gets faster, but failure becomes more correlated. A single misstep in policy, access, or configuration can affect multiple trust services at once. The governance question is no longer whether the tools integrate, but whether the organisation can tolerate the resulting concentration of trust decisions.

Identity security teams should treat DNS governance as part of trust lifecycle management. DNS changes can influence domain validation, certificate issuance, and service reachability, which means they belong in the same change, approval, and recovery discussions as other identity-adjacent controls. This is especially relevant for programmes that already manage certificates, workload identity, or internet-facing service accounts. The practical conclusion is that trust infrastructure needs lifecycle oversight, not just operational monitoring.

Named concept: trust stack convergence. This acquisition illustrates the trend where validation, availability, and web protection are governed as one stack rather than separate disciplines. That reduces operational friction, but it also blurs the boundaries between infrastructure security and identity assurance. The implication is that practitioners must rethink where ownership for digital trust actually sits.

For NHI governance, the lesson is architectural dependency, not NHI sprawl. Even when a deal is not about service accounts or tokens directly, it affects the systems that issue and validate machine trust. That places certificate workflows, DNS automation, and platform access under the same governance scrutiny that NHI teams already apply to secrets and workload identity. The conclusion is that digital trust platforms now sit inside the identity control perimeter.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That governance gap is why practitioners should also study Top 10 NHI Issues for the operational controls that usually fail first.

What this signals

Trust stack convergence is the right lens for this acquisition: DNS, certificate management, and edge security are no longer separate control conversations. For programme owners, that means trust services should be reviewed alongside identity-adjacent control planes, not only inside network or web operations teams. The governance boundary is moving whether organisations have updated it or not.

The practical signal is that concentration risk will become a board-level issue whenever a platform spans validation, resilience, and administrative control. As we note in Top 10 NHI Issues, broad trust dependencies often hide in plain sight until change failure or outage exposes them. Teams should map which trust services now share a failure domain and which ones do not.

With 97% of NHIs carrying excessive privileges, the operational lesson extends beyond access scope into control-plane design. If the same team or platform can alter validation, routing, and protection in one motion, then least privilege is no longer just about credentials. It becomes a question of where authority is allowed to converge inside the infrastructure stack.

For practitioners

• Re-map trust ownership across DNS and certificates Document which team owns domain control validation, certificate issuance, DNS change approval, and emergency rollback. Treat these as one operational chain so a failure in one layer does not bypass governance in another.
• Review administrative concentration before platform consolidation Assess whether one control plane now holds too much authority over validation, routing, and security enforcement. Confirm that privileged access, break-glass paths, and recovery options remain separated enough to contain failure.
• Include trust infrastructure in lifecycle governance Bring certificate renewals, DNS changes, and edge protection updates into the same change-management and access-review cadence used for other critical identity-adjacent controls.
• Test recovery when trust services are unavailable Run scenarios where DNS, certificate validation, or web protection is degraded and verify how quickly teams can restore service without weakening assurance or bypassing control checks.

Key takeaways

• The acquisition signals a broader convergence of DNS, certificate lifecycle, and edge protection into one digital trust control plane.
• The main governance issue is concentration risk, because combining validation and resilience functions increases the blast radius of any access or configuration failure.
• Practitioners should review ownership, recovery, and lifecycle controls together so trust infrastructure remains governable after platform consolidation.

Key terms

• Digital trust: Digital trust is the set of mechanisms that lets systems prove they are legitimate and remain trustworthy during operation. It includes identity proofing, certificate management, DNS integrity, and service availability. In practice, it is the operational foundation that allows users and machines to rely on online services without manual verification at every step.
• Certificate lifecycle management: Certificate lifecycle management is the process of issuing, tracking, renewing, revoking, and replacing digital certificates before trust breaks. It is not just a PKI task. It is a governance process that ties identity, validation, and service continuity together, especially when certificates are used by workloads and internet-facing infrastructure.
• Domain control validation: Domain control validation is the step that proves an organisation controls a domain before a certificate is issued or renewed. It often depends on DNS or other domain-level signals. Because it is an assurance check, any weakness in DNS ownership, change control, or automation can directly affect certificate trust.
• Control-plane concentration: Control-plane concentration occurs when one platform or team gains authority over multiple security functions that used to be separate. It can simplify operations, but it also increases correlated failure risk. In identity-adjacent environments, it matters because administrative access and validation power may converge in the same place.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: DigiCert to Acquire Vercara, Strengthening Its Position as a Leader in Digital Trust Press Release. Read the original.