DigiCert ONE’s ARR surge signals demand for trust automation

At a glance

What this is: DigiCert's FY26 update says enterprise demand is concentrating around automated trust infrastructure, certificate lifecycle management, and adjacent identity controls.

Why it matters: That matters because identity teams are being pushed to govern machine trust, lifecycle automation, and email-origin authentication as part of a single programme rather than separate point problems.

By the numbers:

• DigiCert reported more than 100% attainment on topline bookings targets.
• DigiCert said Forrester calculated a 312% return on investment over three years for DigiCert ONE adopters.

👉 Read DigiCert's FY26 update on DigiCert ONE, ARR growth, and trust automation

Context

Certificate trust has become an identity governance problem because lifespans are shortening, automation is increasing, and certificate volumes are scaling faster than manual processes can absorb. For IAM and security teams, that means PKI, DNS, email authentication, and certificate lifecycle management now sit inside the same operational control surface.

DigiCert's update is mainly a market signal, not a product announcement in isolation. The practical message is that organisations are consolidating trust controls into broader identity and infrastructure programmes because fragmented ownership creates operational blind spots and audit friction.

The challenge is no longer whether certificates matter. The challenge is whether the programme that governs machine identities can keep pace with crypto change, cloud sprawl, and the operational need to manage trust at scale.

Key questions

Q: How should teams govern certificate lifecycle automation at enterprise scale?

A: Treat certificate lifecycle automation as an identity and reliability control, not a backend convenience. Inventory every certificate, assign ownership, define renewal thresholds, and monitor failures as service-risk events. The goal is to prevent silent expiry, unmanaged sprawl, and unclear accountability across applications, gateways, and partner integrations.

Q: Why do shortening certificate lifespans increase IAM and operations risk?

A: Shorter lifespans reduce the margin for manual intervention, so every missed renewal becomes a possible outage or trust failure. They also expose weak ownership, incomplete inventories, and fragmented tooling faster than long-lived certificates do. That makes lifecycle discipline, not ad hoc remediation, the key control.

Q: What should organisations do when PKI and DNS are managed together?

A: They should review change control, access boundaries, and rollback procedures as a single trust workflow. Converging PKI and DNS can reduce operational friction, but it also means one weak approval process or misconfiguration can affect both validation and service reachability. Shared governance must be explicit.

Q: How do email authentication controls fit into identity security programmes?

A: Email authentication should be treated as an identity assurance layer because spoofed domains often lead directly to phishing, credential theft, and fraudulent approvals. If the mail channel is weak, human identity controls are weakened too. Align sender validation, phishing resistance, and privileged workflow protections.

Technical breakdown

Certificate lifecycle automation as identity control

Certificate lifecycle management is the operational discipline of issuing, tracking, renewing, and revoking machine credentials before they fail or outlive their intended use. As certificate lifespans shorten, manual renewal becomes a reliability and security risk, especially when certificates are embedded in applications, load balancers, service meshes, and partner integrations. Automation matters because the identity object is not the certificate alone, but the entitlement to trust a workload, service, or domain at runtime. When that trust expires unpredictably, outages and authentication failures follow.

Practical implication: map certificates to owners, systems, and renewal paths so lifecycle failures are visible before they become service incidents.

PKI and DNS convergence changes the control plane

PKI and DNS are often managed separately, but they jointly determine whether clients can validate who they are talking to and where that service lives. Converging them into one automated control plane can reduce coordination gaps, but it also increases the blast radius of poor governance if ownership, change control, or separation of duties is weak. The architectural issue is not convenience versus complexity. It is whether trust dependencies that used to be split across teams are now governed as one change domain with consistent policy and auditability.

Practical implication: review change approval, access boundaries, and rollback procedures before combining trust functions into a shared platform.

Zero trust email security and domain authenticity

Email authentication remains a core trust boundary because phishing, spoofing, and domain impersonation exploit the gap between a message's appearance and its actual origin. Zero trust email security extends beyond filtering malicious content. It requires cryptographic and policy controls that make sender identity harder to fake and easier to validate across the ecosystem. That matters for identity programmes because email remains a primary path into both human accounts and delegated access workflows, so email-origin trust is part of identity assurance, not a separate hygiene task.

Practical implication: treat domain authentication as an identity control and align it with phishing resistance, not just messaging security.

Threat narrative

Attacker objective: The attacker seeks to inherit trusted identity signals so users, systems, or partners accept malicious traffic as legitimate.

1. entry: Attackers commonly begin by exploiting weak domain authentication, stolen credentials, or misissued trust signals to impersonate legitimate senders or services.
2. escalation: Once trust is established, they can move into certificate abuse, email spoofing, or delegated access paths that bypass normal scrutiny.
3. impact: The result is phishing success, service disruption, or fraudulent trust in systems and messages that should have been rejected.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate lifecycle automation is now identity governance, not just operations. When certificate volumes increase and lifespans shorten, the old assumption that renewals can be managed as an administrative task breaks down. The control problem is no longer only revocation or issuance. It is whether the organisation can prove ownership, timing, and accountability across every machine trust object. Practitioners should treat certificate lifecycle as part of their identity governance baseline.

PKI and DNS convergence creates a tighter trust fabric with a larger governance burden. Bringing those functions together can improve operational consistency, but it also couples two historically separate failure domains. That means configuration drift, change risk, and privilege boundaries now have a shared impact on service identity and name resolution. The implication is that governance must track trust dependencies, not just system inventories.

Zero trust email security is an identity control because mail remains a front door to both human and delegated access. Email spoofing is not merely a messaging problem when inbox trust leads to credential theft, token abuse, or workflow approval abuse. Domain authenticity is part of identity assurance, especially where humans approve downstream access or exceptions. Security teams should align email trust with IAM and phishing-resistant controls, not leave it isolated in the mail stack.

Trust infrastructure is consolidating into broader identity platforms because fragmentation creates audit and resilience debt. The market signal in this update is not simply platform expansion. It is that enterprises are looking for a smaller number of systems to govern machine identity, naming, authentication, and lifecycle consistency. That trend will pressure IAM and IGA teams to define ownership across infrastructure, security, and application boundaries more clearly.

Quantum readiness is becoming a planning issue for identity teams because cryptographic change is now a lifecycle event. When cryptographic algorithms must evolve, the programme needs an inventory of dependencies, an upgrade path, and a governance model for change. The practical conclusion is that cryptographic agility belongs in identity architecture planning, not in a future-state slide deck.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Our research also found that only 44% of developers are reported to follow security best practices for secrets management, which helps explain why lifecycle controls so often outpace day-to-day behaviour.
• For the broader operating model, see Ultimate Guide to NHIs , Why NHI Security Matters Now for the identity governance context that connects secrets, machine identity, and automation.

What this signals

Trust consolidation will force IAM teams to treat certificates, DNS, and email authenticity as one control family. That is where the governance burden is heading, because fragmentation is harder to audit than it is to notice. With 75% of organisations expressing strong confidence in their secrets management capabilities despite long remediation times, the gap is not awareness but operational follow-through.

Certificate operations are turning into lifecycle governance, and lifecycle governance is becoming a board-visible resilience issue. The practical shift is that outages caused by expiry, trust-anchor change, or delegated ownership failures are no longer niche platform issues. Teams should expect stronger pressure to document ownership, automation coverage, and exception handling across the trust stack.

Quantum-readiness planning belongs in identity architecture now. Once cryptographic change affects certificates, APIs, and software trust, the programme needs dependency mapping and upgrade sequencing, not just technical interest. For the broader governance context, the Ultimate Guide to NHIs , The NHI Market is the right anchor for understanding how the tooling landscape is moving.

For practitioners

• Map certificate ownership to business services Create a service-level inventory that links each certificate to an application owner, renewal window, issuing system, and rollback path so no certificate exists outside an accountable lifecycle.
• Review DNS and PKI change boundaries together Assess whether shared automation has blurred separation of duties, approval flow, or emergency change procedures across DNS and certificate management.
• Treat domain authentication as part of IAM policy Align email domain authentication, phishing-resistant controls, and workflow approvals so sender trust is evaluated alongside user and service identity risk.
• Build cryptographic agility into roadmap planning Document where certificate, algorithm, and trust-anchor changes would affect applications, integrations, and compliance reporting before those changes are forced by expiry or regulation.

Key takeaways

• The core risk is not certificate management alone but fragmented trust governance across PKI, DNS, and email authenticity.
• DigiCert's figures show market demand is consolidating around automation, with record ARR and more than 100% bookings attainment in FY26.
• Practitioners should respond by tying certificate ownership, renewal automation, and trust change control into one accountable identity programme.

Key terms

• Certificate Lifecycle Management: The process of issuing, tracking, renewing, and revoking certificates across their full useful life. In practice, it is a control discipline that prevents outages, stale trust, and unmanaged machine identity exposure when certificates are embedded in applications and infrastructure.
• Cryptographic Agility: The ability to change cryptographic algorithms, trust anchors, or validation methods without disrupting business services. It matters because cryptographic change is increasingly a lifecycle event, and organisations need inventory, sequencing, and ownership before migration becomes urgent.
• Domain Authentication: The set of controls that prove a message or service really comes from the domain it claims. It is a critical identity assurance layer because spoofed domains can trigger phishing, credential theft, and fraudulent approvals even when other security controls are present.
• Trust Fabric: The interconnected set of identity, certificate, DNS, and validation controls that determine whether systems and users can trust a digital interaction. When these functions are fragmented, governance becomes harder to audit and failure becomes harder to contain.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: DigiCert ONE fuels record ARR in breakout fourth quarter, building momentum for continued growth. Read the original.