Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PKI lifecycle governance is the gap teams are still missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: PKI remains the trust layer for TLS, device authentication, signed code, and encrypted traffic, but the article argues that most failures come from manual handling, expired certificates, fragmented tooling, and weak lifecycle ownership rather than from cryptography itself, according to GlobalSign. The governance problem is no longer whether PKI works, but whether organisations can operate it as a living identity system instead of a set-and-forget control.

NHIMG editorial — based on content published by GlobalSign: PKI is not dead, it is often mismanaged

Questions worth separating out

Q: How should security teams manage certificate lifecycle risk in PKI environments?

A: Security teams should treat certificates like governed credentials, not static configuration.

Q: Why do expired certificates cause security and availability problems?

A: Expired certificates break trust relationships that applications, devices, and users rely on for authentication and encrypted transport.

Q: What do organisations get wrong about PKI governance?

A: They often assume PKI is a one-time setup task handled by infrastructure teams.

Practitioner guidance

  • Build a complete certificate inventory Create a single inventory for certificates, private keys, issuance systems, renewal dates, and owners.
  • Automate renewal and revocation workflows Replace manual renewal steps with policy-driven automation for issuance, rotation, renewal, and revocation.
  • Treat certificates as credentials Include certificates and private keys in the same governance controls used for secrets, service accounts, and other non-human identities.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The article's practical examples of certificate failure modes, including expired SSL certificates and manual lifecycle breakdowns.
  • Its discussion of cloud PKI, API-driven issuance, and policy-based renewal for large-scale environments.
  • The IoT and device-authentication use cases where certificate automation becomes a scale requirement.
  • Its argument for tying PKI into DevOps and identity governance workflows rather than leaving it isolated.

👉 Read GlobalSign's analysis of why PKI governance, not cryptography, is the real issue →

PKI lifecycle governance is the gap teams are still missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

PKI is a lifecycle governance problem before it is a cryptography problem. The article is right to reject the idea that PKI has become obsolete, but the real failure mode is organisational: certificates are still handled as static artefacts instead of credentials with owners, expiry dates, and revocation rules. That creates a governance gap that looks technical on the surface and operational underneath. Practitioners should treat certificate lifecycle control as a first-class identity discipline.

A question worth separating out:

Q: Which controls matter most when PKI supports workloads and devices?

A: The most useful controls are inventory, automation, least privilege for issuance, and continuous monitoring for expiry or orphaned assets. Those controls reduce the risk of standing trust in devices and workloads that should be revalidated through lifecycle events. They also support auditability and faster incident response.

👉 Read our full editorial: PKI is not dead: why lifecycle governance is the real failure



   
ReplyQuote
Share: