Certificate automation and DCV changes are the governance gap teams face

TL;DR: CA/Browser Forum discussions in Warsaw point to mandatory automation support, the possible sunset of non-automatable DCV methods, and growing pressure to prepare for post-quantum TLS, according to DigiCert. The core issue is that certificate governance now depends on automation maturity, not manual processes that no longer scale.

NHIMG editorial — based on content published by DigiCert: Insights from the CA/Browser Forum’s Warsaw Discussions

By the numbers:

• Only 38% have automated certificate lifecycle management in place.
• Certificate expiry is the leading cause of outages for 45% of organisations.

Questions worth separating out

Q: How should security teams prepare for certificate lifecycle automation becoming mandatory?

A: They should inventory every certificate workflow, remove manual renewal dependencies, and test whether issuance, rotation, and revocation can run without human handoffs.

Q: Why do non-automatable DCV methods create governance risk?

A: They create risk because validation depends on processes that are slow, inconsistent, and difficult to scale across modern certificate estates.

Q: How do organisations know whether certificate readiness is actually improving?

A: They should look for fewer manual exceptions, shorter renewal lead times, clear certificate ownership, and a complete inventory of certificates that includes issuance method and expiry exposure.

Practitioner guidance

• Map every certificate workflow end to end Document issuance, renewal, validation, revocation, and exception handling across public TLS, internal PKI, and code signing so you can see where humans still intervene.
• Eliminate non-automatable validation paths Identify domains or certificate classes that still depend on phone, email, fax, SMS, or postal mail validation and migrate them to automatable methods before policy deadlines.
• Separate TLS and code-signing readiness plans Treat short-lived TLS certificates and long-lived signing keys as different migration tracks with different trust-store, tooling, and rollback requirements.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• The specific CA/B Forum proposals and ballot timing behind each policy change.
• The distinction between current requirements for new CAs and upcoming requirements for existing CAs.
• The practical differences between Web PKI server authentication, client authentication, and X9 PKI for mTLS use cases.
• The article's full explanation of Photosynthesis and MPIC in the context of certificate transparency and validation.

👉 Read DigiCert’s analysis of CA/Browser Forum changes affecting certificate automation and PKI →

Certificate automation and DCV changes are the governance gap teams face?

Explore further

View Full Forum →  |  NHI Foundation Course →