Notifications
Clear all
Topic starter
25/06/2026 2:49 pm
TL;DR: Certificate trust lists are a governed policy layer for roots and intermediates, and Keyfactor argues they are the operational foundation for crypto-agile PKI as organizations juggle sprawl, outages, and post-quantum change. Treating trust as a versioned artifact, not a one-time rollout, is now a core control problem for identity teams.
NHIMG editorial — based on content published by Keyfactor: Enterprise Trust Lists: The Backbone of Crypto-Agility
By the numbers:
- Only 38% have automated certificate lifecycle management in place.
- 69% of organisations now have more machine identities than human ones.
Questions worth separating out
Q: How should teams govern certificate trust lists across hybrid environments?
A: Treat the trust list as the policy system of record, not as an output from certificate inventory tooling.
Q: When does certificate trust management become an outage risk?
A: It becomes an outage risk when organisations rely on inherited root stores, flat intermediates, or manual trust changes that cannot be rolled out and rolled back consistently.
Q: What do security teams get wrong about certificate lifecycle management?
A: Teams often expect CLM to decide what is trusted, when its real job is to automate discovery, renewal, and distribution.
Practitioner guidance
- Define a trust governance owner and policy source of truth Assign one team to approve roots, intermediates, constraints, and retirement criteria, while keeping CLM focused on distribution and validation.
- Version the trust list like a controlled policy artifact Store the approved trust list in version control, require human approval for changes, and keep machine-readable output that can be rolled back instantly if validation signals degrade.
- Validate trust decisions at discovery time Continuously compare discovered certificates across workloads, clouds, and keystores against the approved trust list, and flag unapproved or deprecated issuers as policy violations.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- A governed trust-list operating model with separation of duties between policy owners and CLM teams
- Staged rollout mechanics for distributing approved roots and intermediates across heterogeneous environments
- Rollback and de-trust playbooks for emergency issuer changes, including validation checkpoints
- Practical guidance for PQC-ready trust path testing and canary deployment
👉 Read Keyfactor's analysis of enterprise trust lists and crypto-agility →
Enterprise trust lists and PKI crypto-agility: where teams get stuck?
Explore further
25/06/2026 3:58 pm
Enterprise trust lists are the missing control plane for PKI governance. The article is right to separate policy from automation, because certificate lifecycle tooling can distribute trust but cannot define what should be trusted. In practice, many environments still confuse certificate inventory with trust governance, which leaves root and intermediate decisions scattered across teams and platforms. The result is a policy drift problem that becomes visible only during outages or issuer change events. Practitioners should treat trust lists as the authoritative control surface for PKI.
A few things that frame the scale:
- 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
- Another finding from the same research shows that 61% rely on spreadsheets or manual tracking for machine identity management, which explains why trust and ownership drift so easily.
A question worth separating out:
Q: How do organisations prepare trust policies for post-quantum cryptography?
A: They should stage new chains in non-critical paths, test canary rollouts, and confirm that trust bundles can be updated without breaking dependent systems. The goal is to prove that issuer and algorithm changes can move through the environment under controlled conditions before broad adoption.
👉 Read our full editorial: Enterprise trust lists are becoming core to crypto-agile PKI
