Notifications
Clear all
Topic starter
25/06/2026 2:55 pm
TL;DR: Two-thirds of organisations have suffered outages from unexpectedly expiring certificates, while nearly half still find certificates outside the IT security team’s purview and almost 2 in 5 have three or more departments managing them, according to DigiCert. The message is clear: digital trust fails when certificate ownership, visibility, and lifecycle control are fragmented.
NHIMG editorial — based on content published by DigiCert: Solving digital trust for the real world
By the numbers:
- Nearly 2 in 5 organizations have three or more departments managing certificates.
Questions worth separating out
Q: How should security teams manage certificate lifecycle risk across multiple departments?
A: Security teams should centralise certificate inventory, ownership, renewal, and revocation even when operational teams request or use the certificates.
Q: Why do certificate management failures create zero-trust problems?
A: Zero trust depends on continuous verification, but verification is only as good as the certificate or trust signal behind it.
Q: What do organisations get wrong about certificate rotation and renewal?
A: Many teams treat certificate renewal as a calendar task instead of a governance control.
Practitioner guidance
- Inventory every certificate and owner Build a single authoritative register that records certificate purpose, owner, system dependency, expiry date, and renewal path.
- Unify renewal and revocation workflows Route renewal approvals, revocation triggers, and exception handling through one process so no certificate can drift outside governance.
- Tie device trust to signed software Require code signing for firmware and software updates on connected devices, and verify that update pipelines preserve signing integrity from build to deployment.
What's in the full article
DigiCert's full article covers the operational detail this post intentionally leaves for the source:
- The vendor's full discussion of certificate lifecycle management across discovery, automation, and reporting
- More detail on DigiCert ONE, certificate managers, and how the platform is positioned for unified trust management
- The post's explanation of device trust, code signing, and software supply chain integrity in connected environments
- Additional context on DNS Made Easy, post-quantum cryptography, and DigiCert's broader trust roadmap
👉 Read DigiCert's analysis of digital trust, certificate lifecycle, and zero trust →
Certificate lifecycle management and digital trust: what teams need?
Explore further
25/06/2026 4:10 pm
Certificate sprawl is a governance problem before it is a technical one. DigiCert’s own survey data points to outages, fragmented ownership, and certificates managed outside IT security. That combination tells us the control failure is not just expiry monitoring but lack of a single accountable lifecycle. The implication is that certificate governance must be treated as an identity programme capability, not a tooling add-on.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which shows how often lifecycle control still fails before governance can begin.
A question worth separating out:
Q: Who should own certificate governance in an enterprise?
A: Certificate governance should sit with identity and security leadership, but operational responsibility must extend to the teams running the systems that use the certificates. The key is not where the task lives administratively. It is whether one accountable process can see the full lifecycle from issuance to retirement.
👉 Read our full editorial: Certificate lifecycle management and digital trust at enterprise scale
