By NHI Mgmt Group Editorial TeamPublished 2026-04-20Domain: Governance & RiskSource: Vintegris

TL;DR: Digital certificate use has grown 30% since 2021, but the article says organisations still struggle with duplicate copies, insecure storage, weak auditability and lifecycle management across issuance, renewal and revocation, according to Vintegris. That turns certificate governance into an identity and compliance problem, not just a cryptography problem.


At a glance

What this is: This is an analysis of hidden risks in digital certificate use, with the central finding that certificate lifecycle sprawl and weak custody controls undermine trust, auditability and compliance.

Why it matters: It matters to IAM and security teams because certificates are non-human identities in practice, and unmanaged copies, poor revocation and weak usage tracing expand the attack surface across human, workload and third-party access flows.

By the numbers:

👉 Read Vintegris's analysis of hidden risks in digital certificate management


Context

Digital certificates are non-human identities that prove trust, authenticate systems or people, and sign transactions. The governance problem begins when those certificates are copied across devices, stored locally, or renewed without a reliable inventory and revocation process.

The article argues that this is no longer a niche cryptography issue. As certificate volumes rise, the real failure mode is identity sprawl, where proof of possession outlives custody, and security teams lose the ability to see where a certificate exists or who is using it.

That starting position is typical, not exceptional, for organisations that rely on ad hoc custody and manual tracking.


Key questions

Q: What breaks when digital certificates are copied across multiple devices?

A: When certificates are copied across multiple devices, the organisation loses control over which instance is authoritative. Older copies can remain usable after migration, which expands the trust boundary and makes revocation harder to prove. The practical failure is not encryption weakness, but custody drift that turns one identity into several unmanaged ones.

Q: Why do digital certificates create governance risk in regulated environments?

A: Digital certificates create governance risk because they prove identity and authorise transactions, so their lifecycle affects auditability, accountability and compliance. If issuance, renewal and revocation are not tightly controlled, the organisation may be unable to show who used the certificate, when it was revoked, or whether old copies still existed.

Q: How do security teams know if certificate governance is actually working?

A: Certificate governance is working when the inventory is complete, duplicate copies are eliminated, revocation happens on schedule, and usage logs tie each certificate to a clear owner and purpose. If any of those signals are missing, the organisation has trust in the certificate but not control over the identity behind it.

Q: Who is accountable when a digital certificate is misused?

A: Accountability sits with the organisation that owns custody, lifecycle and evidence of use, not with the certificate itself. If a certificate is misused, investigators should be able to trace ownership, location, revocation status and authorisation history. Frameworks such as RGPD, NIS2, DORA and ISO 27001 all expect that level of control evidence.


Technical breakdown

Certificate lifecycle management and identity sprawl

Digital certificates behave like non-human identities because they are granted, used, renewed and revoked over time. The technical problem is not only cryptographic strength but lifecycle control. When certificates are copied to multiple endpoints or migrated without removing older versions, the organisation loses a single source of truth. That creates duplicate trust anchors, stale credentials and hard-to-audit usage paths. In practice, certificate risk increases whenever custody and lifecycle are split across teams, tools or devices. The result is a trust fabric that looks centralised on paper but is operationally fragmented.

Practical implication: treat certificate inventories as identity inventory, not asset lists.

Secure storage, transmission and key custody

Certificate security depends on the protection of the private key, not just the public certificate. If keys are stored on shared devices, transferred through insecure channels, or left in local files, the signing identity can be stolen or replayed. This is an NHI custody problem: the secret material is the identity. Strong custody requires controlled storage locations, restricted export paths and evidence of use. Without those controls, a certificate can continue to validate trust even after the underlying key has been exposed.

Practical implication: enforce controlled key custody and eliminate unmanaged local copies.

Auditability, revocation and compliance evidence

The article highlights evidence of use, notifications and revocation as operational gaps. That matters because certificate governance must prove who used what, when, and under which policy. In regulated environments, audit trails are not a nice-to-have; they are the mechanism that links trust services to accountability. If revocation is slow or incomplete, the certificate remains technically valid even when organisational trust has changed. That is why certificate lifecycle controls align closely with identity governance, Zero Trust and compliance obligations.

Practical implication: make certificate revocation and usage logging auditable controls, not support tasks.


Threat narrative

Attacker objective: The objective is to impersonate the legitimate certificate holder and create trusted actions that survive detection long enough to affect documents, transactions or authentication flows.

  1. Entry occurs when a certificate is copied to multiple devices or stored in an insecure location, giving an attacker or unauthorised user access to the signing identity.
  2. Escalation follows when the exposed private key is used to sign documents or authenticate as the legitimate certificate holder, bypassing normal custody expectations.
  3. Impact occurs when forged signatures, unauthorised authentication or stale certificates are accepted as valid, undermining document integrity, trust and regulatory assurance.
  • Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
  • Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Digital certificate custody is now an identity governance problem, not a narrow PKI task. The article shows that certificates are created, moved, used and retired across multiple locations, which turns them into governed identities in practice. When custody is spread across devices and teams, accountability breaks down before the cryptography does. Practitioners should manage certificates as part of the broader identity programme, not as isolated infrastructure artefacts.

Duplicate certificate copies create identity blast radius. Migrating certificates without removing older instances leaves multiple valid trust paths in circulation. That means one compromised copy can outlive the organisation's assumed control boundary and remain usable until revocation catches up. The practitioner conclusion is simple: every extra copy expands the blast radius of a certificate failure.

Usage evidence is the control that separates trust from assumption. The article's emphasis on auditing, notifications and authorisation shows that organisations need proof of where a certificate is used, not just that it exists. Without those records, revocation becomes reactive and compliance claims become difficult to defend. Security teams should treat usage evidence as part of the control surface.

Centralisation only works when it restores lifecycle authority. A central certificate platform is not a control by itself if local copies, manual exceptions and undocumented renewals remain in play. The meaningful shift is not central storage but central enforcement of issuance, renewal, revocation and offboarding. Teams should measure whether centralisation actually reduces unmanaged trust, not whether it simply moves the problem.

eIDAS-era trust services now depend on operational discipline, not just legal recognition. The article connects digital signatures, regulated transactions and compliance frameworks such as RGPD, NIS2, DORA and ISO 27001. That means certificate management is part of enterprise resilience, because weak lifecycle control can turn a valid signature into a false assumption of assurance. Practitioners should align certificate governance with the identity controls that already support regulated access and accountability.

From our research:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
  • Another NHI Mgmt Group finding shows that 97% of NHIs carry excessive privileges, which is why stale certificate custody should be treated as a privilege problem as well as a trust problem.
  • For a broader view of how trust material leaks across environments, see CI/CD pipeline exploitation case study for the operational consequences of unmanaged secret exposure.

What this signals

Identity blast radius: when certificate copies, renewal paths and revocation states are spread across endpoints, the security team loses the ability to define a single trust boundary. That means certificate governance should be measured by recoverable control, not by the number of certificates issued.

A practical next step is to connect certificate lifecycle data to identity governance and compliance reporting, then verify that usage logs, owner records and revocation events can be reconstructed under audit. For aligned controls, the NIST SP 800-53 Rev 5 Security and Privacy Controls guidance remains useful for access control, identification and authentication, and audit expectations.

The broader signal is that certificate management is converging with workload identity and machine identity governance. Teams that already track NHI custody and lifecycle can extend the same operating model here, which reduces the chance that regulated trust material outlives the business relationship behind it.


For practitioners

  • Inventory every certificate and private key location Build a complete register of where certificates, copies and private keys exist across endpoints, shared devices, application stores and third-party systems. Reconcile that inventory against owners, intended use and revocation state so you can see where trust still exists after custody changes.
  • Remove duplicate certificate copies after every migration Treat device changes and certificate relocation as offboarding events for the old copy. Verify that prior locations no longer retain usable credentials, especially on shared devices and administrative workstations.
  • Enforce auditable revocation and renewal workflows Require evidence for issuance, renewal and revocation, including timestamps, approvers and affected applications. If the process cannot show when a certificate was revoked or renewed, it is not yet a governed lifecycle.
  • Centralise custody without losing usage visibility Use a central control point to restrict export, define authorised use and trigger expiry notifications, but keep per-certificate activity logs that show where and when the identity was used.
  • Map certificate controls to compliance obligations Align certificate custody, audit trails and revocation timing with the requirements in RGPD, NIS2, DORA and ISO 27001 so certificate governance can satisfy both security and accountability needs.

Key takeaways

  • Digital certificates behave like governed identities, so weak custody and lifecycle control create security and compliance risk even when the cryptography itself is sound.
  • The article's core evidence is operational, not theoretical: duplicate copies, insecure storage, weak auditing and slow revocation all widen the trust boundary.
  • Practitioners should align certificate management with identity inventory, revocation evidence and regulated accountability rather than treating it as a standalone PKI task.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate rotation and revocation map directly to NHI lifecycle control failures.
NIST CSF 2.0PR.AC-4Certificate custody and access scope align with least-privilege access management.
NIST SP 800-53 Rev 5IA-5Authenticator management covers certificate handling, renewal and revocation.
NIST Zero Trust (SP 800-207)Certificate trust and continuous verification are foundational to zero trust.
ISO/IEC 27001:2022A.8.2Information classification and handling supports secure certificate custody.

Use certificate governance to support continuous verification and reduce standing trust.


Key terms

  • Digital Certificate: A digital certificate is a cryptographic identity record used to prove trust, authenticate a subject, or support digital signatures. In practice it binds an identity to a public key, so governance must cover issuance, custody, renewal, and revocation across every location where the certificate can be used.
  • Private Key Custody: Private key custody is the controlled storage, handling, and protection of the secret material behind a certificate or signing identity. If custody is weak, the identity can be copied, abused, or replayed even when the certificate itself appears valid, which turns technical trust into operational risk.
  • Certificate Lifecycle Management: Certificate lifecycle management is the process of governing certificates from issuance through renewal to revocation and retirement. It is an identity governance discipline, not a housekeeping task, because unmanaged lifecycle steps create duplicate trust paths, stale credentials, and audit failures.
  • Identity Blast Radius: Identity blast radius is the amount of damage that becomes possible when one identity is copied, over-permitted, or left unmanaged. For certificates, the blast radius grows when duplicates exist across devices or when revocation is delayed, because trust remains usable beyond the organisation's intended control window.

What's in the full article

Vintegris's full article covers the operational detail this post intentionally leaves for the source:

  • How the nebulaCERT centralised certificate model handles custody, authorisation and remote access in practice
  • The specific notification, evidence and policy features used to support certificate expiry and usage tracking
  • The article's compliance framing across RGPD, NIS2, DORA and ISO 27001 for certificate governance
  • The vendor's guidance on reducing local installation of certificates and avoiding unmanaged copies

👉 Vintegris's full article covers certificate custody, lifecycle controls and compliance implications in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org