Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Certificate lifecycle management: are your controls ready for 47-day TLS?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Certificate lifecycle management failures have caused global outages, and the move toward 47-day TLS certificates by 2029 will multiply renewal pressure by nearly 8x, according to eMudhra. Manual tracking, partial discovery, and non-native automation are no longer compatible with enterprise-scale certificate operations, especially as post-quantum reissuance approaches.

NHIMG editorial — based on content published by eMudhra: certificate lifecycle management and the 47-day TLS transition

By the numbers:

Questions worth separating out

Q: How should security teams govern certificate lifecycle management at scale?

A: They should treat certificates as governed machine identities, with ownership, discovery, issuance, renewal, revocation, and policy enforcement all tied together.

Q: Why do certificate expiry failures keep causing outages?

A: Because many organisations still depend on partial inventories and manual renewal workflows, which do not keep pace with large certificate estates or compressed lifetimes.

Q: What breaks when certificate discovery is incomplete?

A: When discovery is incomplete, renewal planning is built on missing data, so the certificates most likely to cause outages are the ones no one knew were there.

Practitioner guidance

  • Map every certificate population to an owner Build a complete inventory that includes public TLS, internal PKI, code signing, device identity, and workload certificates.
  • Validate renewal across native protocols Test whether your renewal process works through ACME, EST, or SCEP without custom scripts in the middle.
  • Separate discovery from issuance claims Check whether the platform can find certificates it did not issue, including certificates from external public CAs and unmanaged network segments.

What's in the full article

eMudhra's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step evaluation criteria for certificate lifecycle platforms that go beyond spreadsheet replacement.
  • Protocol-specific renewal considerations for ACME, EST, and SCEP in enterprise environments.
  • Practical guidance on handling hybrid PQC issuance and reissuance during the transition window.
  • Buyer questions for separating partial discovery from real estate-wide certificate visibility.

👉 Read eMudhra's guide to certificate lifecycle management and 47-day TLS readiness →

Certificate lifecycle management: are your controls ready for 47-day TLS?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Certificate lifecycle management is now machine identity governance, not infrastructure hygiene. The article correctly frames certificate expiry as an operational failure, but the deeper issue is governance scope. Certificates are non-human identities when they authenticate workloads, services, and devices, so lifecycle control must be treated as part of NHI oversight. Practitioners should stop treating CLM as a certificate-only admin function and align it with identity governance.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: When should organisations move from manual to automated certificate management?

A: They should move as soon as renewal volume, service criticality, or compliance pressure makes human tracking unreliable. A 47-day cadence makes automation a baseline requirement, not an optimisation. The real decision is whether to keep absorbing outage risk or redesign the process before the next renewal storm hits.

👉 Read our full editorial: Certificate lifecycle management is now an identity governance issue



   
ReplyQuote
Share: