Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PKI trust boundaries: what fit means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: PKI trust is contextual, not universal: external PKI suits public internet use cases, internal PKI fits closed environments, and federated PKI supports cross-organisation trust, according to DigiCert. The governance question is not cryptography alone, but which trust boundary, operating model, and lifecycle controls match the identity being secured.

NHIMG editorial — based on content published by DigiCert: External, internal, or federated PKI? How to find the right fit

By the numbers:

Questions worth separating out

Q: How should teams choose between external, internal, and federated PKI?

A: Choose external PKI when broad browser and operating system trust is required, internal PKI when trust must stay inside one organisation, and federated PKI when multiple organisations need a shared trust root.

Q: When does public PKI create more risk than it reduces?

A: Public PKI creates more risk when organisations use it for internal services, devices, or long-lived infrastructure that depend on stable lifecycle control.

Q: What breaks when private PKI is deployed without lifecycle governance?

A: Private PKI breaks down when teams do not maintain clear ownership of issuance, trust configuration, renewal, and revocation.

Practitioner guidance

  • Map trust boundaries before choosing PKI model Classify each use case by who must trust the certificate, whether trust must cross organisational boundaries, and whether browser trust is actually required.
  • Separate public-facing certificates from internal identity use Do not reuse web PKI certificates for internal services, device authentication, or long-lived infrastructure unless the external governance model is explicitly desired.
  • Inventory all relying systems for private CA onboarding Document every workload, device, and service that must trust a private CA, then automate distribution and renewal to reduce outage risk.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Examples of where external PKI is the right fit across public web, API, and software distribution use cases
  • Practical guidance on using private PKI for internal services, IoT devices, and enterprise trust domains
  • The federated PKI models referenced in healthcare, finance, and EV ecosystems
  • Policy changes that affect certificate lifetimes, revocation, and public trust assumptions

👉 Read DigiCert's guidance on choosing between external, internal, and federated PKI →

PKI trust boundaries: what fit means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

PKI model selection is really a trust-boundary decision, not a cryptography decision. The article correctly frames PKI as contextual: public, internal, and federated trust each solve a different governance problem. For identity teams, the critical question is whether the relying party is a browser, a device fleet, an internal workload, or a cross-organisation partner. The practitioner takeaway is to classify the trust boundary before selecting the certificate model.

A few things that frame the scale:

  • 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
  • Only 13% of organisations feel extremely prepared for the reality of agentic AI, which shows how quickly identity programmes are being asked to govern behaviours they were not designed for.

A question worth separating out:

Q: Who should be accountable for certificate trust decisions across identity programmes?

A: Accountability should sit with the teams that own the identity being protected, which may be IAM for people, NHI teams for workloads and services, or infrastructure teams for device trust. Security, platform, and identity functions should share policy oversight, but one team must own lifecycle decisions end to end.

👉 Read our full editorial: External, internal or federated PKI for identity trust fit



   
ReplyQuote
Share: