Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
NHI, AI & IAM Produ...
47-day TLS readines...
 
Notifications
Clear all

47-day TLS readiness: what partner certificate automation changes

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 6713
Topic starter 23/06/2026 7:24 pm  

TL;DR: Shorter TLS lifecycles are pushing certificate renewals from an annual task toward continuous operations, with DigiCert positioning the Partner Subscriptions API and ACME automation as a delivery model for partners to manage that shift. The real issue is not issuance volume alone, but the collapse of manual certificate administration as a sustainable control.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifecycles?

A: They should move certificate management from manual renewal to governed automation.

Q: Why do shorter TLS lifecycles increase operational risk for certificate teams?

A: Because renewal becomes frequent enough that human tracking, ticketing, and exception handling stop scaling.

Q: What breaks when certificate renewal still depends on manual processes?

A: Manual renewal creates delay, missed deadlines, and uneven visibility across domains and subaccounts.

Practitioner guidance

  • Inventory certificate ownership across all domains and subdomains Document which team, partner, or platform owns issuance, renewal, cancellation, and SAN changes for each domain so lifecycle accountability is explicit before automation is introduced.
  • Validate ACME renewal paths end to end Test client configuration, EAB credential handling, renewal observability, and failure recovery so certificate replacement works without relying on manual intervention.
  • Move certificate governance into lifecycle processes Treat renewal, cancellation, and domain entitlement changes as governed lifecycle events rather than isolated administrative tasks, and align them with existing identity ownership workflows.

What's in the full announcement

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • How the Partner Subscriptions API structures annual named-domain entitlements and subscription management
  • Which ACME contract endpoints partners can use to create, update, cancel, and inspect subscriptions
  • How partners can handle SAN additions and removals during the subscription term
  • How different partner delivery models shift ACME configuration between the provider and the end customer

👉 Read DigiCert's partner blog on the Partner Subscriptions API and TLS automation →

47-day TLS readiness: what partner certificate automation changes?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
digicert certificate-lifecycle tls-automation machine-identity partner-programs
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  digicert (279) , certificate-lifecycle (41) , tls-automation (3) , machine-identity (178) , partner-programs (3) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.