DigiCert Partner Subscriptions API and the move to 47-day TLS

At a glance

What this is: DigiCert’s Partner Subscriptions API pairs subscription management with ACME automation to help partners deliver certificate issuance and renewal as TLS lifecycles shorten.

Why it matters: It matters because certificate governance is becoming a lifecycle problem for NHI, IAM, and platform teams that must remove manual renewal dependency before outages and operating friction rise.

👉 Read DigiCert's partner blog on the Partner Subscriptions API and TLS automation

Context

TLS certificate management is shifting from occasional renewal to near-continuous lifecycle operations as validity periods shorten. That turns certificates into a governance problem for workload identity, service availability, and operational ownership rather than a simple procurement task.

For partners and the customers they support, the question is no longer whether automation is useful. The question is whether certificate issuance, renewal, and domain entitlement management can be embedded into workflows that keep pace with shorter TLS cycles without creating new manual handoffs.

Key questions

Q: How should security teams prepare for shorter TLS certificate lifecycles?

A: They should move certificate management from manual renewal to governed automation. That means assigning clear ownership, validating ACME-based issuance paths, and tracking renewal observability so certificates remain current without human follow-up. The objective is continuity, not just faster issuance.

Q: Why do shorter TLS lifecycles increase operational risk for certificate teams?

A: Because renewal becomes frequent enough that human tracking, ticketing, and exception handling stop scaling. The risk is not only missed renewals, but inconsistent ownership and hidden dependency on a person remembering the next action. Shorter lifecycles turn certificate governance into a process reliability problem.

Q: What breaks when certificate renewal still depends on manual processes?

A: Manual renewal creates delay, missed deadlines, and uneven visibility across domains and subaccounts. As lifecycles shorten, even small gaps can produce outages or emergency handling. The control that fails is not the certificate itself, but the organisation’s ability to renew it predictably.

Q: Who should own certificate lifecycle governance in a partner-delivered model?

A: Ownership should sit with the party that can actually execute renewal, cancellation, and entitlement changes, even if the customer experience is abstracted. If the partner runs the automation, that partner needs operational accountability. If the customer configures the client, the boundary must still be explicit.

How it works in practice

Subscription-based certificate lifecycle management

The API creates a named-domain entitlement model where one subscription can issue unlimited certificates for a domain during the term. That changes certificate administration from one-off transactions into a governed lifecycle with renewal, cancellation, SAN changes, and account reporting all tied to the same entitlement. In practice, this is less about sales motion and more about aligning certificate control with ongoing operational ownership. When certificate lifecycles compress, the management plane has to be able to keep pace with the issuance plane.

Practical implication: map certificate ownership, renewal authority, and domain entitlement into a single lifecycle process before renewal windows shrink further.

ACME automation as the delivery control point

ACME is the mechanism that actually automates issuance and renewal in this model, while the API manages the subscription relationship. The vendor states that ACME is the only supported delivery mechanism here, which makes the client configuration and EAB credential handling the operational pivot. For practitioners, that means the critical control is not the subscription itself but the reliability of the automation path that installs and renews certificates with minimal human intervention.

Practical implication: validate ACME client configuration, credential handling, and renewal observability before moving customers onto shortened certificate cycles.

Short-lived TLS as a lifecycle pressure test for NHI governance

Shorter TLS lifecycles expose a familiar NHI pattern: once renewal is frequent enough, manual processes fail first, then visibility fails, then ownership becomes unclear. Certificates are non-human identities in the broad sense of machine trust artefacts, and they inherit the same lifecycle risks as service accounts and tokens when teams depend on humans to remember routine actions. The governance problem is not just scale. It is whether the process can survive without exceptions becoming the norm.

Practical implication: treat certificate renewal as governed machine identity lifecycle work, not as an ad hoc operational task.

NHI Mgmt Group analysis

Manual certificate renewal is becoming an assumption failure, not just an operational inconvenience. The old model assumed annual or infrequent renewals were manageable through human tracking and ticket-based follow-up. That assumption fails when certificate lifecycles compress toward 47 days because the process burden becomes continuous and error-prone. The implication is that teams must stop treating certificate administration as a periodic task and start treating it as lifecycle governance.

Certificate entitlement is now part of the control surface. A named-domain subscription that can issue unlimited certificates changes the object being governed from individual certificates to the entitlement relationship itself. That matters because revocation, cancellation, SAN changes, and account reporting are all lifecycle controls, not just issuance mechanics. Practitioners should recognise that the governance problem extends upstream into who can create and manage the subscription.

Continuous certificate operations: This is the specific failure mode emerging as TLS validity shortens and manual handling cannot keep up. When renewal intervals shrink, the security boundary is no longer the certificate alone but the process that keeps certificates current without interruption. The implication is a shift from artefact-centric thinking to process-centric identity governance across machine trust assets.

Partner-delivered automation will increasingly sit between customers and certificate lifecycle ownership. That creates a governance responsibility for clear operational boundaries, because the customer experience may hide the control plane while still depending on it. For identity teams, this is a reminder that workload trust can be outsourced in delivery, but not in accountability. The practitioner conclusion is to define who owns renewal failure before the first missed event.

This market is moving toward identity governance for machine trust, not just certificate resale. The combination of API-based management and ACME automation signals that certificate handling is being re-bundled into recurring lifecycle services. That direction aligns with broader NHI governance patterns: visibility, ownership, and automation matter more than discrete issuance events. Practitioners should plan for certificate control to be evaluated as a lifecycle capability, not a purchasing line item.

From our research:

• 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
• 66% say their current tooling is not adequate to manage the scale of machine identities they now have, according to the same report.
• That is why NHI Lifecycle Management Guide is the right next step for teams building ownership, rotation, and offboarding discipline.

What this signals

Certificate automation is now a lifecycle governance issue, not a convenience feature. As TLS validity compresses, teams that still treat certificates as periodic admin work will accumulate avoidable risk in ownership, renewal, and exception handling. The practical shift is to manage certificates like other machine identities, with clear lifecycle states and visible accountability.

With 57% of organisations lacking a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report, shortened TLS cycles will expose the same visibility gap in certificate estates. Teams should expect the weakest point to be ownership, not cryptography. That makes inventory and lifecycle mapping a prerequisite for any automation programme.

Certificate lifecycle drift: This is the operating condition to watch as renewals accelerate and manual exception handling becomes normalised. The best programmes will connect certificate entitlement, renewal automation, and service ownership in one control model, rather than handling them as separate processes.

For practitioners

• Inventory certificate ownership across all domains and subdomains Document which team, partner, or platform owns issuance, renewal, cancellation, and SAN changes for each domain so lifecycle accountability is explicit before automation is introduced.
• Validate ACME renewal paths end to end Test client configuration, EAB credential handling, renewal observability, and failure recovery so certificate replacement works without relying on manual intervention.
• Move certificate governance into lifecycle processes Treat renewal, cancellation, and domain entitlement changes as governed lifecycle events rather than isolated administrative tasks, and align them with existing identity ownership workflows.
• Set outage prevention controls around certificate expiry Monitor expiry drift, renewal failure signals, and exception handling so certificate continuity is protected before short-lived lifecycles turn minor gaps into service disruption.

Key takeaways

• Shorter TLS lifecycles turn certificate renewal into a continuous governance problem that manual processes will struggle to absorb.
• The operational risk is rooted in ownership, inventory, and renewal execution, not in certificate issuance alone.
• Teams should move certificate control into lifecycle workflows with ACME automation, explicit entitlement ownership, and expiry monitoring.

Key terms

• Certificate Lifecycle Management: Certificate lifecycle management is the process of issuing, renewing, replacing, and retiring TLS certificates in a controlled way. In practice, it covers ownership, renewal timing, automation, and exception handling so certificate trust remains continuous as validity periods shorten.
• ACME: ACME is a protocol used to automate certificate issuance and renewal between a client and a certificate authority. For practitioners, it reduces manual renewal work, but it also introduces a dependency on correct client configuration, credential handling, and monitoring of the automation path.
• Named-Domain Entitlement: A named-domain entitlement is a subscription structure that allows certificate issuance for a specific domain over a defined term. It shifts governance attention from individual certificates to the right to issue and manage certificates for that domain across the lifecycle.
• Machine Identity: A machine identity is a non-human identity used by systems, services, or workloads to authenticate and exchange trust. Certificates are one form of machine identity, and they must be governed with the same discipline as other non-human credentials when lifecycle frequency increases.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Introducing the DigiCert Partner Subscriptions API. Read the original.