Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day TLS readiness: what partner certificate automation changes


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Shorter TLS lifecycles are pushing certificate renewals from an annual task toward continuous operations, with DigiCert positioning the Partner Subscriptions API and ACME automation as a delivery model for partners to manage that shift. The real issue is not issuance volume alone, but the collapse of manual certificate administration as a sustainable control.

NHIMG editorial — what this means for NHI practitioners

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifecycles?

A: They should move certificate management from manual renewal to governed automation.

Q: Why do shorter TLS lifecycles increase operational risk for certificate teams?

A: Because renewal becomes frequent enough that human tracking, ticketing, and exception handling stop scaling.

Q: What breaks when certificate renewal still depends on manual processes?

A: Manual renewal creates delay, missed deadlines, and uneven visibility across domains and subaccounts.

Practitioner guidance

  • Inventory certificate ownership across all domains and subdomains Document which team, partner, or platform owns issuance, renewal, cancellation, and SAN changes for each domain so lifecycle accountability is explicit before automation is introduced.
  • Validate ACME renewal paths end to end Test client configuration, EAB credential handling, renewal observability, and failure recovery so certificate replacement works without relying on manual intervention.
  • Move certificate governance into lifecycle processes Treat renewal, cancellation, and domain entitlement changes as governed lifecycle events rather than isolated administrative tasks, and align them with existing identity ownership workflows.

What's in the full announcement

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • How the Partner Subscriptions API structures annual named-domain entitlements and subscription management
  • Which ACME contract endpoints partners can use to create, update, cancel, and inspect subscriptions
  • How partners can handle SAN additions and removals during the subscription term
  • How different partner delivery models shift ACME configuration between the provider and the end customer

👉 Read DigiCert's partner blog on the Partner Subscriptions API and TLS automation →

47-day TLS readiness: what partner certificate automation changes?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Manual certificate renewal is becoming an assumption failure, not just an operational inconvenience. The old model assumed annual or infrequent renewals were manageable through human tracking and ticket-based follow-up. That assumption fails when certificate lifecycles compress toward 47 days because the process burden becomes continuous and error-prone. The implication is that teams must stop treating certificate administration as a periodic task and start treating it as lifecycle governance.

A few things that frame the scale:

  • 57% of organisations lack a complete inventory of their machine identities, according to The Critical Gaps in Machine Identity Management report.
  • 66% say their current tooling is not adequate to manage the scale of machine identities they now have, according to the same report.

A question worth separating out:

Q: Who should own certificate lifecycle governance in a partner-delivered model?

A: Ownership should sit with the party that can actually execute renewal, cancellation, and entitlement changes, even if the customer experience is abstracted. If the partner runs the automation, that partner needs operational accountability. If the customer configures the client, the boundary must still be explicit.

👉 Read our full editorial: DigiCert Partner Subscriptions API and the move to 47-day TLS



   
ReplyQuote
Share: