Certificate lifecycles are shrinking: what should IAM teams do now?

TL;DR: A wave of certificate and policy changes across 2026 and 2027 will shorten public TLS validity, enforce MPIC, validate DNSSEC, and retire legacy code signing, according to DigiCert’s trust calendar. Certificate lifecycle pressure is now a governance problem, not just a PKI operations issue.

NHIMG editorial — based on content published by DigiCert: Stay Ahead of What’s Changing in Digital Trust

By the numbers:

• Only 38% have automated certificate lifecycle management in place.
• 69% of organisations now have more machine identities than human ones.

Questions worth separating out

Q: How should teams manage certificate lifecycles when validity windows keep shrinking?

A: Teams should treat certificate lifecycle management as a continuous control, not a renewal calendar.

Q: When do certificate policy changes become a governance risk instead of a technical update?

A: They become a governance risk when renewal, validation, and revocation are spread across teams or tracked manually.

Q: What breaks when legacy code signing or ACME paths are retired?

A: What breaks is usually the hidden dependency map.

Practitioner guidance

• Map every certificate class to a named owner Assign accountable owners for public TLS, code signing, and internal trust anchors so renewals, validation changes, and revocation events do not depend on tribal knowledge.
• Automate renewal and validation checks Replace spreadsheet tracking with monitored workflows that verify expiry, domain validation, and issuance prerequisites well before policy deadlines.
• Inventory legacy trust dependencies Find every system still tied to retired ACME paths, deprecated signing actions, or old root hierarchies and sequence migrations before enforcement dates.

What's in the full article

DigiCert's full trust calendar covers the operational detail this post intentionally leaves for the source:

• Month-by-month dates for upcoming certificate, validation, and root-policy transitions that teams can fold into change calendars.
• Specific product-linked change notes for MPIC, CT logging, and code-signing support that matter during implementation.
• Transition references for legacy ACME and signing workflows that help platform teams plan remediation sequencing.
• The source calendar's direct links to change notices and supporting pages for teams that need operational context.

👉 Read DigiCert's trust calendar for upcoming certificate and policy changes →

Certificate lifecycles are shrinking: what should IAM teams do now?

Explore further

View Full Forum →  |  NHI Foundation Course →