47-day certificate lifecycles: what IAM and trust teams need to change

TL;DR: To cope with a 47-day TLS lifecycle, certificate governance is increasingly becoming a continuous identity and trust operation, according to DigiCert. Its internal “Customer Zero” programme consolidated certificate inventory, policy, automation, and observability, with more than 99% of eligible certificates now renewing through automation.

NHIMG editorial — based on content published by DigiCert: Inside Customer Zero: Building Trust Ops for the 47-Day Era

By the numbers:

• 99% of eligible certificates now renew through automation, automation across DigiCert’s production environment.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: How should teams govern certificate lifecycles when renewal windows shrink to 47 days?

A: Teams should move certificate governance into a continuous operating model with authoritative inventory, explicit ownership, and automated renewal paths.

Q: Why do short-lived certificates expose weaknesses in identity and access programmes?

A: Short-lived certificates expose the same control failures that appear in NHI governance: poor ownership, duplicate records, stale entitlements, and weak observability.

Q: What breaks when certificate automation depends on custom scripts and legacy systems?

A: Custom scripts and legacy-only dependencies create renewal drag, inconsistent error handling, and delayed failure detection.

Practitioner guidance

• Consolidate certificate inventory into one authoritative system of record Map every certificate, owner, business unit, and renewal path into a single control plane before shortening validity windows.
• Standardise renewal paths by protocol support Use ACME where possible, then separate SCEP, EST, and API-managed populations from the legacy tail that still depends on scripts or manual coordination.
• Instrument renewal operations like production services Track renewal success rate, stalled jobs, sensor health, and notification fatigue as operational metrics.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• The exact internal migration sequence used to consolidate certificate activity into a single trust lifecycle manager tenant.
• The practical mechanics of moving specific certificate populations onto ACME, SCEP, EST, and API-based renewal paths.
• The failure patterns DigiCert saw in rate limiting, pending jobs, and notification fatigue during the shift to shorter lifecycles.
• The production metrics behind the automation result, including how renewal success was measured across the environment.

👉 Read DigiCert's Customer Zero blog on the 47-day trust lifecycle →

47-day certificate lifecycles: what IAM and trust teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →