TL;DR: A wave of certificate and policy changes across 2026 and 2027 will shorten public TLS validity, enforce MPIC, validate DNSSEC, and retire legacy code signing, according to DigiCert’s trust calendar. Certificate lifecycle pressure is now a governance problem, not just a PKI operations issue.
NHIMG editorial — based on content published by DigiCert: Stay Ahead of What’s Changing in Digital Trust
By the numbers:
- Only 38% have automated certificate lifecycle management in place.
- 69% of organisations now have more machine identities than human ones.
Questions worth separating out
Q: How should teams manage certificate lifecycles when validity windows keep shrinking?
A: Teams should treat certificate lifecycle management as a continuous control, not a renewal calendar.
Q: When do certificate policy changes become a governance risk instead of a technical update?
A: They become a governance risk when renewal, validation, and revocation are spread across teams or tracked manually.
Q: What breaks when legacy code signing or ACME paths are retired?
A: What breaks is usually the hidden dependency map.
Practitioner guidance
- Map every certificate class to a named owner Assign accountable owners for public TLS, code signing, and internal trust anchors so renewals, validation changes, and revocation events do not depend on tribal knowledge.
- Automate renewal and validation checks Replace spreadsheet tracking with monitored workflows that verify expiry, domain validation, and issuance prerequisites well before policy deadlines.
- Inventory legacy trust dependencies Find every system still tied to retired ACME paths, deprecated signing actions, or old root hierarchies and sequence migrations before enforcement dates.
What's in the full article
DigiCert's full trust calendar covers the operational detail this post intentionally leaves for the source:
- Month-by-month dates for upcoming certificate, validation, and root-policy transitions that teams can fold into change calendars.
- Specific product-linked change notes for MPIC, CT logging, and code-signing support that matter during implementation.
- Transition references for legacy ACME and signing workflows that help platform teams plan remediation sequencing.
- The source calendar's direct links to change notices and supporting pages for teams that need operational context.
👉 Read DigiCert's trust calendar for upcoming certificate and policy changes →
Certificate lifecycles are shrinking: what should IAM teams do now?
Explore further
Certificate lifecycle has become a governance issue, not a PKI housekeeping task. The calendar shows that validity, validation, and trust-anchor changes are landing in coordinated waves rather than isolated events. That means ownership, automation, and exception handling now matter as much as cryptographic strength. Teams that still treat certificates as infrastructure details will miss the identity governance problem underneath. The practitioner conclusion is simple: lifecycle control is now part of digital trust governance.
A few things that frame the scale:
- 53% of organisations have experienced a security incident directly related to machine identity management failures, according to The Critical Gaps in Machine Identity Management report.
- Average time to detect a compromised machine identity: 214 days.
A question worth separating out:
Q: Which controls matter most when MPIC and DNSSEC requirements tighten?
A: The most important controls are issuance-path testing, DNS governance, and exception management. MPIC and DNSSEC reduce trust in weak validation paths, so teams need to verify that their domain-control and CA-validation processes still work under the new rules. Otherwise, certificate requests fail at the point where automation is supposed to save time.
👉 Read our full editorial: Digital trust planning is tightening as certificate lifecycles shrink