Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day certificate lifecycles: what IAM and trust teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: To cope with a 47-day TLS lifecycle, certificate governance is increasingly becoming a continuous identity and trust operation, according to DigiCert. Its internal “Customer Zero” programme consolidated certificate inventory, policy, automation, and observability, with more than 99% of eligible certificates now renewing through automation.

NHIMG editorial — based on content published by DigiCert: Inside Customer Zero: Building Trust Ops for the 47-Day Era

By the numbers:

Questions worth separating out

Q: How should teams govern certificate lifecycles when renewal windows shrink to 47 days?

A: Teams should move certificate governance into a continuous operating model with authoritative inventory, explicit ownership, and automated renewal paths.

Q: Why do short-lived certificates expose weaknesses in identity and access programmes?

A: Short-lived certificates expose the same control failures that appear in NHI governance: poor ownership, duplicate records, stale entitlements, and weak observability.

Q: What breaks when certificate automation depends on custom scripts and legacy systems?

A: Custom scripts and legacy-only dependencies create renewal drag, inconsistent error handling, and delayed failure detection.

Practitioner guidance

  • Consolidate certificate inventory into one authoritative system of record Map every certificate, owner, business unit, and renewal path into a single control plane before shortening validity windows.
  • Standardise renewal paths by protocol support Use ACME where possible, then separate SCEP, EST, and API-managed populations from the legacy tail that still depends on scripts or manual coordination.
  • Instrument renewal operations like production services Track renewal success rate, stalled jobs, sensor health, and notification fatigue as operational metrics.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • The exact internal migration sequence used to consolidate certificate activity into a single trust lifecycle manager tenant.
  • The practical mechanics of moving specific certificate populations onto ACME, SCEP, EST, and API-based renewal paths.
  • The failure patterns DigiCert saw in rate limiting, pending jobs, and notification fatigue during the shift to shorter lifecycles.
  • The production metrics behind the automation result, including how renewal success was measured across the environment.

👉 Read DigiCert's Customer Zero blog on the 47-day trust lifecycle →

47-day certificate lifecycles: what IAM and trust teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Certificate lifecycle management has crossed from administration into identity governance. A 47-day certificate model leaves no room for informal ownership or ad hoc renewal habits. Once validity windows shrink, certificate control becomes a question of policy enforcement, authoritative inventory, and operational accountability. Practitioners should treat certificates as governed identities, not as background configuration.

A few things that frame the scale:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.

A question worth separating out:

Q: Who should be accountable when certificate renewal fails in production?

A: Accountability should sit with the teams that own the inventory, renewal policy, and operational telemetry, not with whoever notices expiry first. Governance frameworks such as NIST Cybersecurity Framework 2.0 and zero-trust models expect explicit control ownership. If no team owns the trust lifecycle end to end, the programme is relying on luck.

👉 Read our full editorial: Certificate lifecycle operations need a 47-day trust model



   
ReplyQuote
Share: