TL;DR: Certificate lifecycle management, centralized visibility, and policy-driven cryptographic governance are being embedded into multicloud application delivery as DigiCert joins the F5 ADSP Partner Program, according to DigiCert. The real shift is that certificate operations are moving closer to identity governance, where automation and assurance matter more than isolated PKI administration.
At a glance
What this is: DigiCert's F5 ADSP partnership centers on certificate lifecycle automation, visibility, and policy-driven cryptographic governance for multicloud environments.
Why it matters: It matters because certificate sprawl, renewal failures, and weak ownership are identity problems as much as infrastructure problems across NHI, autonomous, and human programmes.
👉 Read DigiCert's announcement on joining the F5 ADSP Partner Program
Context
Certificate lifecycle management is the operational discipline of issuing, rotating, validating, and retiring certificates before they become a security or availability problem. In multicloud environments, that discipline breaks down when teams manage trust assets in disconnected tools and cannot see where certificates are used, who owns them, or when they expire.
The identity governance issue is not just PKI hygiene. Certificates are non-human identities in practice, and when they are embedded in application delivery paths they affect workload trust, machine authentication, compliance evidence, and incident response. That makes this a governance problem for IAM, NHI, and platform teams rather than a narrow crypto task.
Key questions
Q: How should security teams govern certificate lifecycle automation in multicloud environments?
A: They should start with ownership, inventory, and policy consistency. Certificate automation only reduces risk when every certificate is mapped to a service owner, a renewal path, and a revocation trigger. Without that structure, automation can scale unmanaged trust rather than control it.
Q: Why do certificates become an identity governance issue in application delivery?
A: Because certificates establish machine trust, not just encryption. When they authenticate services across delivery platforms, they function as non-human identities with lifecycle, ownership, and audit requirements. That puts them squarely inside IAM and NHI governance rather than outside it.
Q: What breaks when certificate visibility is fragmented across multicloud platforms?
A: Renewals fail, ownership becomes unclear, and exception handling turns inconsistent. Fragmented visibility means teams cannot reliably answer where certificates are used or which systems depend on them, so expiry events can become outages and compliance gaps.
Q: How do teams know whether certificate automation is actually improving governance?
A: Measure how many certificates have named owners, how many renewals are handled without manual intervention, and how many exceptions remain open past policy thresholds. If the inventory is still incomplete, automation is only accelerating the same blind spots.
Technical breakdown
How certificate lifecycle automation reduces trust drift
Certificate lifecycle automation replaces manual issuance and renewal steps with policy and orchestration. Instead of relying on teams to track expiry dates, reconcile inventories, and update deployments by hand, the platform manages certificate states across creation, distribution, renewal, and revocation. In multicloud environments, that matters because certificates are often attached to services, gateways, and application tiers that move faster than human review cycles. The key technical issue is trust drift: a certificate can remain valid while the service behind it changes, or the service can change while the certificate map does not. Automation reduces that mismatch, but only if discovery, ownership, and enforcement are wired into the same control plane. Practical implication: build certificate governance around authoritative inventory and enforced renewal workflows, not ad hoc reminders.
Practical implication: build certificate governance around authoritative inventory and enforced renewal workflows, not ad hoc reminders.
Why centralized visibility matters for multicloud certificate governance
Centralized visibility is the control that lets teams answer where certificates exist, which applications depend on them, and which policy applies to each one. In distributed application stacks, certificate sprawl creates hidden dependencies across load balancers, APIs, service endpoints, and internal systems. Without a single view, renewal failures become outages and ownership gaps become compliance problems. Central visibility also supports cryptographic governance by making policy consistent across clouds and environments instead of varying by deployment team. For identity teams, the important point is that visibility is what turns certificates from isolated technical artefacts into governable identity assets. Practical implication: inventory certificate owners, expiry windows, and dependency paths before you attempt broad automation.
Practical implication: inventory certificate owners, expiry windows, and dependency paths before you attempt broad automation.
Policy-driven cryptographic governance in application delivery
Policy-driven cryptographic governance means certificate decisions are shaped by rules about trust, approval, renewal, and compliance rather than by manual ticket handling. In application delivery ecosystems, that is useful because certificates are not just transport-layer components. They are part of the control plane that establishes service identity and trust between systems. The challenge is that policy only works when it reflects actual operational boundaries. If policies do not map to ownership, environment, or risk class, automation can simply accelerate bad practice. For NHI and IAM teams, the deeper lesson is that certificate governance should be treated as part of identity lifecycle management, not as a separate infrastructure function. Practical implication: align certificate policy with lifecycle ownership, audit needs, and revocation triggers.
Practical implication: align certificate policy with lifecycle ownership, audit needs, and revocation triggers.
NHI Mgmt Group analysis
Certificate lifecycle management is now an identity governance problem, not just a PKI task. Once certificates are used to establish service trust across multicloud application delivery paths, they become part of the NHI estate. That means issuance, renewal, revocation, and ownership all sit inside the same governance problem space as workload identities and secrets. Teams that still treat certificates as isolated infrastructure objects will miss the access, ownership, and audit implications. The practitioner conclusion is straightforward: certificate governance belongs in the identity programme, not beside it.
Central visibility is the real control that makes certificate automation safe. Automation without authoritative inventory simply speeds up unmanaged trust. The field keeps seeing the same pattern across identity programmes: if teams cannot name where a credential or certificate is used, they cannot govern its lifecycle with confidence. This is the same structural issue that drives secrets sprawl and ownership gaps in broader NHI operations. The practitioner conclusion is that visibility must be established before automation is expanded.
Policy-driven cryptographic governance works only when it is tied to lifecycle ownership. Policies that do not map to a service owner, environment boundary, and revocation trigger become paperwork instead of control. In multicloud delivery environments, that creates a false sense of standardisation while the actual trust model remains fragmented. This is where identity governance and platform operations need to converge. The practitioner conclusion is to govern certificates as lifecycle assets with explicit ownership and enforcement.
Runtime trust for machine identities depends on the same governance discipline that human IAM uses for joiner, mover, and leaver events. The actor changes, but the control problem does not. If access or trust objects are not tied to a lifecycle process, they outlive the conditions that justified them. That is why certificate governance, service account governance, and human access governance should be managed as one discipline with different actor types. The practitioner conclusion is to unify lifecycle policy across identity classes instead of running separate exceptions.
From our research:
- From our research: 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- For a wider lifecycle view, NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need one control model.
What this signals
Certificate governance will keep converging with broader identity lifecycle management. As multicloud delivery becomes more distributed, teams will need one control view for certificates, workload identities, and privileged access. The programme risk is not simply expired credentials. It is a fragmented lifecycle model that cannot prove ownership or revocation across actor types.
The practical next step is to treat certificate automation as part of your identity operating model, not a point integration. Use the NHI Lifecycle Management Guide to align ownership, offboarding, and exception handling, then map the same discipline to workload identity and service trust.
If your environment already struggles with secret sprawl, the problem will intensify as certificate controls are layered into delivery platforms. The Guide to the Secret Sprawl Challenge is the right companion view because the operational failure mode is the same: unmanaged trust objects outliving the systems they secure.
For practitioners
- Map every certificate to an owner and service dependency Create an inventory that records the application, environment, renewal path, and accountable owner for each certificate. Treat uncategorised certificates as governance exceptions until they are assigned.
- Tie renewal and revocation to lifecycle events Connect certificate automation to deployment changes, service retirement, and ownership handoffs so certificates are not left valid after the underlying system changes.
- Standardise policy across clouds before scaling automation Define one policy model for expiry thresholds, approval rules, and exception handling, then apply it consistently across hybrid and multicloud environments.
- Review certificate controls alongside NHI governance Place certificate lifecycle controls in the same governance review as workload identity, secrets, and privileged access so ownership and audit evidence stay aligned.
Key takeaways
- DigiCert and F5 are framing certificate automation as an application security and delivery problem, but the governance implications sit squarely inside identity management.
- The control value comes from visibility and lifecycle ownership, not from automation alone.
- Teams that cannot map certificates to service owners, dependency paths, and revocation triggers will struggle to make multicloud trust governable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle automation addresses credential rotation and lifecycle control. |
| NIST CSF 2.0 | PR.AA-1 | Certificate-based trust supports identification and authentication of system entities. |
| NIST Zero Trust (SP 800-207) | ID | Multicloud certificate governance supports continuous identity verification for services. |
Tie certificate renewal and revocation to enforced lifecycle policy instead of manual handling.
Key terms
- Certificate Lifecycle Management: The process of issuing, tracking, renewing, revoking, and retiring certificates across an environment. In modern infrastructure, it is a governance control as much as a technical one because certificate state determines whether machines and services can continue to trust each other safely.
- Cryptographic Governance: The policy and oversight layer that determines how keys, certificates, and trust rules are approved, controlled, and audited. It turns cryptographic operations into a managed identity function by binding trust decisions to ownership, lifecycle, and compliance requirements.
- Service Identity: A machine or application identity used to establish trust between systems rather than between people. Service identity depends on certificates, tokens, or similar credentials, and its security depends on the same lifecycle discipline that governs other non-human identities.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: DigiCert joins F5 ADSP Partner Program to elevate application security and delivery. Read the original.
Published by the NHIMG editorial team on 2025-11-19.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
