Certificate visibility gaps: what IAM teams need to fix now

TL;DR: Equifax’s 76-day breach showed how an expired digital certificate on a network device can disable vulnerability scanning, delay detection, and contribute to massive PII exposure, according to DigiCert’s analysis. The lesson is that certificate lifecycle management is not housekeeping; it is a control for visibility, continuity, and breach containment.

NHIMG editorial — based on content published by DigiCert covering the Equifax data breach: Lessons from the Equifax data breach

By the numbers:

• Equifax’s data breach exposed highly sensitive information from more than 150 million affected Americans.
• The breach cost the company $575 million in FTC fines alone.

Questions worth separating out

Q: What breaks when certificate visibility is not centralised?

A: When certificate visibility is fragmented, organisations lose reliable ownership, renewal timing, and policy enforcement.

Q: Why do expired certificates increase breach risk in enterprise environments?

A: Expired certificates increase breach risk because they can remove or weaken the control that authenticates a system or enables monitoring.

Q: How do security teams know if certificate lifecycle management is working?

A: Certificate lifecycle management is working when every certificate has a clear owner, renewal is automated or tightly managed, and expiry cannot occur without escalation.

Practitioner guidance

• Build a central certificate inventory Track every TLS and operational certificate with owner, system, expiry date, and renewal path in one authoritative register.
• Map certificates to dependent security functions Document which control each certificate enables, such as scanning, authentication, or encrypted communications, so expiry events can be prioritised by security impact rather than by certificate count alone.
• Automate expiry monitoring and renewal workflows Replace spreadsheet and email-based follow-up with policy-driven alerts, approval routing, and renewal runbooks that can act before the certificate reaches expiry.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of how certificate expiry prevented the network tracking device from supporting vulnerability scanning.
• A fuller discussion of the audit and policy gaps that arise when certificate ownership is spread across business units.
• Examples of certificate lifecycle management workflows that reduce the chance of missed renewals and stale credentials.
• The article's own framing of how central visibility changes the risk profile for large certificate estates.

👉 Read DigiCert’s analysis of how certificate visibility failures shaped the Equifax breach →

Certificate visibility gaps: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →