By NHI Mgmt Group Editorial TeamPublished 2026-03-17Domain: Workload IdentitySource: GlobalSign

TL;DR: PKI underpins certificate trust, encryption, and identity validation across web, email, IoT, and DevOps workflows, while lifecycle controls such as renewal, revocation, and inventory management determine whether that trust remains reliable, according to GlobalSign. The governance challenge is no longer understanding PKI in theory, but keeping certificate identity visible, validated, and revocable at enterprise scale.


At a glance

What this is: This is a PKI overview that explains how certificates, CA trust chains, CRLs, and OCSP work together to secure digital identities and communications.

Why it matters: It matters because certificate governance is a core identity control for service accounts, devices, applications, and user-facing systems, and weak lifecycle management turns trust into operational risk.

By the numbers:

👉 Read GlobalSign's guide to PKI concepts, benefits, and best practices


Context

Public key infrastructure is the trust layer that lets digital identities prove who they are and exchange data securely. In practice, that makes PKI part of identity governance, not just a cryptography topic, because certificates, validation, renewal, and revocation all determine whether machine and human identities can be trusted.

The operational problem is that PKI only works when certificate inventories are current, key material is protected, and revocation checks are reliable. For IAM and NHI programmes, this is the same lifecycle question seen in other identity domains: who can issue trust, who can revoke it, and how quickly stale identity artefacts are removed from use.


Key questions

Q: How should teams govern certificate lifecycles in a PKI programme?

A: Treat certificates as governed identity assets with named ownership, expiry tracking, and explicit revocation authority. The practical test is whether every certificate has a system owner, a renewal path, and a documented response for key compromise or role change. Inventory without ownership is only partial visibility.

Q: Why does PKI matter for NHI and machine identity governance?

A: PKI gives machines, workloads, and devices a trusted way to prove identity, but that trust only holds if issuance and revocation are controlled. For NHI programmes, certificates function like identity credentials, so lifecycle discipline, scope control, and validation matter just as much as they do for human access.

Q: What breaks when certificate revocation is not enforced?

A: A certificate can remain trusted after the underlying key is compromised, the workload changes ownership, or the service should no longer be allowed to communicate. That creates a hidden access window that outlives the intended trust boundary and undermines incident containment.

Q: Should organisations automate PKI before or after they centralise inventory?

A: Centralise inventory first, then automate the most repetitive lifecycle steps. Automation without inventory just accelerates bad data, while inventory without automation leaves renewal and revocation vulnerable to human delay. The right order is visibility, ownership, then controlled automation.


Technical breakdown

How certificate trust chains work in PKI

PKI creates trust through a hierarchy of certificate authorities, usually a root CA, one or more intermediate CAs, and end-entity certificates. A certificate binds a public key to an identity after validation, while the private key stays secret and is used to prove possession. Browsers, services, and devices verify that chain before accepting a connection or signature. The cryptography protects confidentiality and integrity, but the trust model depends on correct issuance, valid chain building, and reliable status checking. If any link in that chain is weak, the certificate may still exist while trust has already failed.

Practical implication: maintain tight control over CA hierarchy, issuance rules, and certificate inventories so trust decisions remain verifiable.

CRL and OCSP in certificate revocation management

Revocation is the mechanism that removes trust before a certificate expires. CRLs distribute lists of revoked certificates, while OCSP lets a client query a responder for near real-time status. Both methods exist because expiration alone is not enough when a private key is exposed, a certificate is misissued, or an identity relationship changes. The operational challenge is availability and freshness: revocation only helps if clients actually check status and can reach the service doing the checking. In identity terms, revocation is lifecycle control for trust artefacts, not just a technical appendix to issuance.

Practical implication: verify that revocation checking is enforced and monitored across browsers, services, and internal applications, not merely configured.

Certificate lifecycle governance across web, IoT, and DevOps

Certificate management becomes difficult when certificates are embedded in application pipelines, IoT fleets, and automated delivery workflows. ACME and API-driven provisioning reduce manual work, but they also increase the need for inventory, policy, and ownership clarity. The article correctly points to the lifecycle problem: renewal, rotation, audit, and revocation are governance tasks, not one-time setup steps. This is where PKI starts to resemble broader NHI management, because certificates are identity artefacts with an owner, scope, and expiry. Without lifecycle discipline, expiry becomes outage risk and compromise becomes persistent trust.

Practical implication: treat certificates as governed identity assets with named ownership, renewal logic, and automated inventory reconciliation.


NHI Mgmt Group analysis

PKI is identity governance for machine trust, not just cryptography. Certificates are identity assertions that bind a key to an entity, and the trust chain decides whether systems accept that assertion. That makes PKI foundational for NHI governance across servers, devices, APIs, and application workloads. Practitioners should stop treating certificate management as a narrow security utility and manage it as part of the identity control plane.

Certificate lifecycle discipline is the difference between trusted infrastructure and silent exposure. Issuance, renewal, revocation, and inventory accuracy are the controls that keep certificate identity aligned with the real environment. When those controls drift, expired, revoked, or mis-scoped certificates continue to function long after the intended trust boundary changed. The operational conclusion is simple: unmanaged certificate sprawl becomes identity debt.

PKI exposes the same ownership problem seen in NHI programmes. A certificate can be technically valid while organisational accountability is unclear, especially when DevOps teams, IoT operators, and platform teams all touch the same trust fabric. That is a governance failure, not a tooling failure. Practitioners need a single ownership model for certificate issuance, rotation, and revocation.

Managed PKI only works when policy, automation, and audit are tied together. Automation reduces manual error, but it does not remove the need for approval boundaries, validation standards, and regular review of certificate scope. GlobalSign’s framing aligns with a broader industry reality: trust infrastructure is only as strong as the governance around it. Practitioners should align PKI with formal identity lifecycle controls and continuous auditability.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
  • For lifecycle depth, see the Ultimate Guide to NHIs for rotation, offboarding, and access review patterns that certificate programmes often mirror.

What this signals

Certificate governance is converging with broader identity governance. PKI teams increasingly need the same operational discipline that IAM and NHI teams use for ownership, lifecycle, and offboarding. With 96% of organisations storing secrets outside of secrets managers, the real programme risk is not only certificate expiry, but unmanaged trust artefacts scattered across delivery pipelines and infrastructure.

Identity programmes should expect more certificate sprawl in automation-heavy environments. DevOps pipelines, IoT fleets, and service-to-service communications all increase the number of machine identities that depend on PKI. That makes certificate inventory quality, not just cryptographic strength, the control that determines whether trust can be governed at scale.


For practitioners

  • Build a complete certificate inventory Map every public and private certificate across web, email, IoT, CI/CD, and internal services, then assign an owner, expiration date, and business system to each record.
  • Enforce revocation checking everywhere Confirm that browsers, services, and internal applications actually consult CRLs or OCSP, and flag any workload that can continue operating with stale or revoked certificates.
  • Automate renewal and renewal alerting Use policy-based workflows so certificates are renewed before expiry, with alerts tied to service owners rather than a central queue that can be ignored.
  • Tie PKI ownership to identity governance Make certificate issuance, rotation, and revocation part of the same governance process used for service accounts and other non-human identities.

Key takeaways

  • PKI is not only a cryptography topic. It is a trust governance layer for digital identities, workloads, and devices.
  • Certificate revocation, renewal, and inventory accuracy are the controls that decide whether PKI remains reliable in production.
  • As identity estates expand, certificate management must be run like lifecycle governance, with ownership, visibility, and auditability built in.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate lifecycle and revocation map directly to non-human identity governance.
NIST CSF 2.0PR.AC-1PKI establishes and verifies identity before access is granted.
NIST Zero Trust (SP 800-207)PKI is a core trust mechanism inside zero trust architectures.
NIST SP 800-53 Rev 5IA-5IA-5 covers authenticator management, including certificates and key handling.

Use PR.AC-1 to ensure certificate-based identity is validated before system access.


Key terms

  • Public Key Infrastructure: A system for issuing, managing, and validating digital certificates that bind an identity to a public key. PKI lets systems trust encrypted communications and signatures, but only when issuance, revocation, and lifecycle governance are enforced correctly across the environment.
  • Certificate Revocation: The process of marking a certificate as no longer trusted before its expiration date. Revocation matters when a private key is compromised, an identity changes, or a certificate is misissued, because expiration alone does not remove risk in active environments.
  • Certificate Authority: An entity that validates identities and issues digital certificates within a trust hierarchy. In operational terms, the CA is the decision point that creates certificate trust, so its validation rules, inventory, and revocation processes must be tightly governed.
  • Online Certificate Status Protocol: A protocol used to check the current status of a certificate in near real time. OCSP improves freshness over static revocation lists, but it only adds value when clients actually query it and the responder remains reachable and accurate.

What's in the full article

GlobalSign's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step explanations of CA hierarchy, CSR submission, and validation flow for issued certificates
  • Practical examples of where SSL/TLS, S/MIME, digital signatures, IoT identity, and DevOps use PKI in production
  • A closer look at PKI management practices for key handling, renewal planning, and revocation oversight
  • The article's own implementation guidance for organisations choosing a PKI operating model

👉 GlobalSign's full blog covers certificate lifecycle management, revocation methods, and PKI use cases in more depth

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org