Notifications
Clear all
Topic starter
25/06/2026 2:45 pm
TL;DR: Ballot SC-090 would phase out legacy certificate validation methods that depend on email, phone, fax, or IP crossover checks and push the ecosystem toward fully automated domain and IP validation, according to DigiCert. Manual validation is becoming operational debt, and certificate lifecycle management now has to be built around automation rather than human intervention.
NHIMG editorial — based on content published by DigiCert: CA/BF Ballot SC-090: A Step Closer to Fully Automated Validation
Questions worth separating out
Q: How should security teams migrate away from manual certificate validation methods?
A: Start by identifying every certificate workflow that still depends on email, phone, fax, postal, or crossover checks.
Q: Why does certificate validation belong in identity governance discussions?
A: Because validation determines which domain or IP address can receive a trusted certificate, which is a governance decision about authority and lifecycle control.
Q: What breaks when certificate validation still depends on people?
A: Manual validation introduces delay, inconsistency, and avoidable operational risk when certificate renewals are frequent or distributed across many environments.
Practitioner guidance
- Inventory every manual validation dependency Identify certificates that still rely on email, phone, fax, postal mail, or crossover validation methods, then map each one to the service owner and renewal path.
- Prioritise DNS and HTTP validation migration Move high-volume domains and IP-backed services to automated validation methods that can be triggered by certificate lifecycle tools without human intervention.
- Review validation ownership and record integrity Confirm who can modify DNS records, HTTP validation endpoints, and certificate issuance integrations, because those systems now sit inside the trust boundary.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The exact CA/Browser Forum phase-out timeline for each legacy validation method.
- The certificate lifecycle management workflow changes needed to support automated validation at scale.
- The practical differences between DNS-based and HTTP-based validation for domain owners.
- How DigiCert positions Trust Lifecycle Manager and UltraDNS integration for automated validation.
👉 Read DigiCert's analysis of SC-090 and automated certificate validation →
SC-090 and certificate validation: what changes for IAM teams?
Explore further
25/06/2026 3:53 pm
Manual certificate validation is an operational exception that the industry is now closing down. SC-090 makes clear that email, phone, fax, and crossover methods no longer fit a certificate ecosystem built for continuous automation. The ballot is not just removing old options, it is formalising a governance assumption that validation must be machine-executable if certificate lifecycle management is to remain reliable. Practitioners should treat any remaining human-mediated validation path as a shrinking exception, not a durable control.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why lifecycle controls often fail at the implementation layer.
A question worth separating out:
Q: Who should own the move to automated certificate validation?
A: Ownership should sit across PKI, platform operations, and identity governance rather than in a single administrative team. The reason is that validation now depends on DNS, HTTP, and lifecycle integrations that cross control boundaries. Shared ownership prevents gaps between certificate policy, domain control, and service uptime.
👉 Read our full editorial: Certificate validation is moving to full automation under SC-090
