TL;DR: Digital certificate use has grown 30% since 2021, but the article says organisations still struggle with duplicate copies, insecure storage, weak auditability and lifecycle management across issuance, renewal and revocation, according to Vintegris. That turns certificate governance into an identity and compliance problem, not just a cryptography problem.
NHIMG editorial — based on content published by Vintegris: Hidden risks in the use of digital certificates
By the numbers:
- Since 2021, the number of transactions and digital certificates managed by organisations has increased by 30%.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when digital certificates are copied across multiple devices?
A: When certificates are copied across multiple devices, the organisation loses control over which instance is authoritative.
Q: Why do digital certificates create governance risk in regulated environments?
A: Digital certificates create governance risk because they prove identity and authorise transactions, so their lifecycle affects auditability, accountability and compliance.
Q: How do security teams know if certificate governance is actually working?
A: Certificate governance is working when the inventory is complete, duplicate copies are eliminated, revocation happens on schedule, and usage logs tie each certificate to a clear owner and purpose.
Practitioner guidance
- Inventory every certificate and private key location Build a complete register of where certificates, copies and private keys exist across endpoints, shared devices, application stores and third-party systems.
- Remove duplicate certificate copies after every migration Treat device changes and certificate relocation as offboarding events for the old copy.
- Enforce auditable revocation and renewal workflows Require evidence for issuance, renewal and revocation, including timestamps, approvers and affected applications.
What's in the full article
Vintegris's full article covers the operational detail this post intentionally leaves for the source:
- How the nebulaCERT centralised certificate model handles custody, authorisation and remote access in practice
- The specific notification, evidence and policy features used to support certificate expiry and usage tracking
- The article's compliance framing across RGPD, NIS2, DORA and ISO 27001 for certificate governance
- The vendor's guidance on reducing local installation of certificates and avoiding unmanaged copies
👉 Read Vintegris's analysis of hidden risks in digital certificate management →
Digital certificate governance gap: are your controls keeping up?
Explore further
Digital certificate custody is now an identity governance problem, not a narrow PKI task. The article shows that certificates are created, moved, used and retired across multiple locations, which turns them into governed identities in practice. When custody is spread across devices and teams, accountability breaks down before the cryptography does. Practitioners should manage certificates as part of the broader identity programme, not as isolated infrastructure artefacts.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- Another NHI Mgmt Group finding shows that 97% of NHIs carry excessive privileges, which is why stale certificate custody should be treated as a privilege problem as well as a trust problem.
A question worth separating out:
Q: Who is accountable when a digital certificate is misused?
A: Accountability sits with the organisation that owns custody, lifecycle and evidence of use, not with the certificate itself. If a certificate is misused, investigators should be able to trace ownership, location, revocation status and authorisation history. Frameworks such as RGPD, NIS2, DORA and ISO 27001 all expect that level of control evidence.
👉 Read our full editorial: Digital certificate governance risks are outpacing enterprise controls