TL;DR: Certificate management has expanded from website SSL/TLS into cloud applications, APIs, containers, microservices, IoT devices, code signing and stronger user authentication, according to eMudhra. That shift makes certificate lifecycle governance a wider identity problem, not a narrow PKI task.
NHIMG editorial — based on content published by eMudhra: certificate management beyond SSL/TLS
By the numbers:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
Questions worth separating out
Q: How should security teams govern certificate-based authentication for machines and devices?
A: Security teams should govern certificates as identities with owners, lifecycles, and revocation triggers, not as static configuration files.
Q: Why do certificates create governance problems when they spread across many systems?
A: Certificates create governance problems because trust is easy to issue but hard to track.
Q: What do security teams get wrong about code signing lifecycle management?
A: The common mistake is treating certificates as one-time setup items instead of governed assets with issuance, renewal, rotation, and revocation requirements.
Practitioner guidance
- Build a complete certificate inventory Track every certificate by owner, workload, issuer, expiry date and revocation path across cloud, APIs, devices and software delivery systems.
- Separate code signing from general build access Restrict signing keys to dedicated approval flows and protect them with hardware-backed storage, tight audit logging and explicit release governance.
- Align certificate renewal with identity governance Connect certificate renewal, rotation and retirement to IAM and IGA workflows so orphaned certificates do not outlive the systems they authenticate.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- How emSign CertHub maps certificate workflows across websites, cloud applications, APIs and IoT devices.
- The vendor's description of automation, granular control and reporting for certificate lifecycle operations.
- The source's own explanation of how certificate management integrates with IAM and compliance reporting.
- The article's examples of how businesses can apply certificate management across security, governance and audit use cases.
👉 Read eMudhra's article on the widening scope of certificate management →
Certificate lifecycle is expanding fast: what do IAM teams need to change?
Explore further
Certificate management is now an identity governance problem, not a narrow PKI task. The article correctly shows that certificates authenticate workloads, APIs, devices and people, which means lifecycle control now spans multiple actor types. That broad scope pushes certificate governance into IAM, IGA and machine identity operations rather than leaving it inside a technical crypto team. Practitioners should treat certificate ownership, renewal and revocation as identity controls, not asset housekeeping.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- 54% of organisations describe certificate and secret lifecycle ownership as fragmented across teams, according to the NHI Lifecycle Management Guide.
A question worth separating out:
Q: What is the difference between certificate encryption and certificate governance?
A: Encryption protects data in transit or at rest, while governance controls who can issue, use, rotate and revoke certificates. A certificate can be technically strong and still create risk if ownership is unclear or the lifecycle is unmanaged. Governance is what keeps trust from becoming sprawl.
👉 Read our full editorial: Certificate management now spans cloud, devices and user identity