Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Unknown certificates and 47-day lifetimes: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: As certificate lifetimes compress from years to months and toward 47 days, unmanaged and unknown certificates become a growing availability and governance risk, according to GlobalSign. The operational fix is not just faster renewal, but discovery, ownership, and lifecycle control that can keep pace with machine identity sprawl.

NHIMG editorial — based on content published by GlobalSign: Unknown certificates and shrinking lifetimes are breaking PKI governance

By the numbers:

Questions worth separating out

Q: What breaks when certificate lifetimes become too short for manual tracking?

A: Manual tracking breaks first, then ownership, then renewal timing.

Q: Why do unknown certificates create both security and availability risk?

A: Unknown certificates are risky because they can expire without warning, remain unowned, or hide in systems that no team actively monitors.

Q: How do security teams know whether certificate governance is actually working?

A: Look for evidence that every certificate is discovered, owned, and tied to an automated renewal path.

Practitioner guidance

  • Inventory every certificate continuously Scan servers, cloud workloads, containers, endpoints, and legacy systems on a recurring basis, then map each certificate to an owner, expiry date, and trust chain.
  • Replace spreadsheet-driven renewal with CLM workflows Automate renewal, replacement, and retirement so no certificate depends on email reminders or informal knowledge to survive a shorter validity window.
  • Assign ownership to shadow and inherited certificates Create a remediation queue for certificates found in acquired platforms, test environments, and undocumented services, then force a named owner before the next renewal.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Commercial licence models and SAN-based pricing considerations for frequent certificate renewal
  • The practical implications of 47-day certificate validity for small and midsized teams
  • How discovery and automation tooling changes day-to-day certificate operations
  • The post-quantum transition angle and why the vendor frames it as a future planning issue

👉 Read GlobalSign's analysis of unknown certificates and shrinking PKI lifetimes →

Unknown certificates and 47-day lifetimes: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Certificate sprawl is a machine identity governance problem, not just a PKI maintenance issue. The article shows how expired or unknown certificates become operational failures only after organisations lose track of ownership and lifecycle. That is the same pattern seen across NHI programmes: a credential is only governable when inventory, responsibility, and rotation are all present. Practitioners should treat certificate governance as part of the broader machine identity estate.

A question worth separating out:

Q: Who should be accountable for certificate expiry incidents?

A: Accountability should sit with the team that owns the service and the certificate lifecycle, not only with central security. If a certificate supports a production system, the service owner must be able to prove discovery, renewal, and retirement controls exist. Security can set policy and oversight, but operational ownership must be explicit.

👉 Read our full editorial: Unknown certificates and shrinking lifetimes are breaking PKI governance



   
ReplyQuote
Share: