TL;DR: Browser trust depends on certificate authorities proving identity, revocation discipline, and auditability, and DigiCert’s article shows how mis-issuance, expired certificates, or weak CA trust can quickly turn into user-facing warnings and business disruption. The lesson for identity teams is that certificate lifecycle control is a governance problem, not just a technical issuance problem.
NHIMG editorial — based on content published by DigiCert: What Is a CA’s Role in Delivering Digital Trust?
Questions worth separating out
Q: How should security teams govern certificate lifecycle across modern environments?
A: Security teams should treat certificates like managed identity assets, not static infrastructure.
Q: Why do certificate failures create broader identity and access risk?
A: Certificate failures matter because they can break authenticated connections, expose users to trust warnings, and disrupt services that depend on machine authentication.
Q: How do teams know if certificate governance is working?
A: Teams know certificate governance is working when every certificate has a clear owner, expiry is monitored well in advance, revocation can be executed quickly, and no certificates are discovered outside the approved inventory.
Practitioner guidance
- Map certificate ownership across business services Build an inventory that ties each certificate to a service owner, issuance source, renewal path, and revocation contact so no certificate is anonymous when it expires or is disputed.
- Automate expiry detection and renewal workflows Use certificate lifecycle tooling to detect upcoming expiry, alert the right owner, and trigger controlled renewal before browsers surface trust warnings or services fail.
- Test revocation as a governance control Run revocation drills for mis-issued or compromised certificates and measure how long it takes to remove trust from the relevant chain, not just to detect the problem.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The article’s plain-English walkthrough of how browsers decide whether a certificate is trusted or distrusted.
- The specific CA/B Forum context behind public trust, audits, and revocation discipline.
- DigiCert’s description of Trust Lifecycle Manager capabilities such as discovery, inventory, expiry notifications, and governance across CAs.
- The example of Entrust’s delayed revocation and the browser trust consequences that followed.
👉 Read DigiCert’s explanation of certificate authority trust and digital trust →
Certificate authority trust gaps: what IAM teams need to know?
Explore further
Certificate trust is an identity governance problem, not a branding problem. The article frames trust as something browsers grant to issuers that can prove identity, operate securely, and revoke quickly when needed. That is the same governance model identity teams use for access, except certificates expose the weakness more visibly because users see the failure immediately. The practitioner conclusion is simple: if certificate governance is weak, the organisation does not control its digital trust boundary.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable when a certificate authority trust issue occurs?
A: Accountability should sit with the teams that own issuance policy, lifecycle operations, and trust list management, not only with platform engineers. A trust issue is a governance failure as much as a technical one. Organisations should define who can revoke, who can approve exceptions, and who must report the impact when trust is lost.
👉 Read our full editorial: Certificate authorities and digital trust: why browser trust fails