TL;DR: Certificate Transparency turns certificate issuance into a public, auditable record, allowing domain owners and CAs to detect misissued SSL/TLS certificates faster and meet browser policy requirements, according to GlobalSign. For identity and access teams, the shift matters because certificate governance is part of non-human identity control, not just PKI administration.
NHIMG editorial — based on content published by GlobalSign: Certificate Transparency and SSL governance
By the numbers:
- Only 38% have automated certificate lifecycle management in place.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.
Questions worth separating out
Q: What breaks when certificate transparency is not enforced for a domain?
A: Without Certificate Transparency, a domain owner can miss misissued or unauthorised certificates until they appear in production, which increases the window for impersonation or interception.
Q: Why do certificates create governance issues for non-human identities?
A: Because certificates are often attached to devices, servers, APIs, and service accounts that do not behave like people.
Q: How do security teams know if certificate lifecycle management is working?
A: Certificate lifecycle management is working when every certificate has a clear owner, renewal is automated or tightly managed, and expiry cannot occur without escalation.
Practitioner guidance
- Inventory certificate issuance paths Map every CA, registration authority, automation flow, and server-side process that can produce SSL/TLS certificates for your domains, including third-party teams and delegated environments.
- Verify SCT delivery across all certificate profiles Test whether embedded SCTs, TLS extensions, or OCSP stapling are actually present in the certificate types you issue and the browsers you support.
- Fold certificate visibility into NHI governance Treat certificates as machine identities with lifecycle state, ownership, revocation responsibility, and audit evidence.
What's in the full article
GlobalSign's full post covers the operational detail this post intentionally leaves for the source:
- How SCTs are embedded in certificates versus delivered through TLS or OCSP stapling.
- The practical differences between precertificates and final certificates in the CT workflow.
- The browser policy logic behind CT compliance deadlines and trust decisions.
- The server configuration changes needed to support SCT delivery reliably.
👉 Read GlobalSign's explanation of Certificate Transparency and SSL governance →
Certificate Transparency and SSL governance: are your controls keeping up?
Explore further
Certificate transparency is a governance control, not just a browser requirement. The article shows that public logging exists because closed certificate issuance processes were too easy to misread, mis-handle, or exploit. For identity programmes, that is the same structural problem seen in machine identity sprawl: if a credential cannot be inventoried and audited, it cannot be governed with confidence. The practitioner conclusion is that certificate lifecycle management belongs inside identity governance, not beside it.
A question worth separating out:
Q: Who should be accountable when certificate abuse leads to domain compromise?
A: Accountability should sit with the teams that govern identity trust, template policy, and privileged enrolment, not only with Windows administrators. AD CS compromise is an identity governance failure because it converts a certificate decision into domain-level authority.
👉 Read our full editorial: Certificate Transparency is becoming a trust control for SSL governance