Certificate validity and revocation: what IAM teams need to get right

TL;DR: Certificate validity, private key protection, and revocation are presented by DigiCert as three linked decisions that determine whether PKI reduces risk or extends it, especially as long-lived certificates, key compromise, and deprecation events like SHA-1 age into operational exposure. The governing assumption is simple: if certificates and keys can persist too long without fast replacement, revocation, and storage controls, security debt accumulates.

NHIMG editorial — based on content published by DigiCert: Mitigating Risk: The Importance of Considering Your Certificate Practices

By the numbers:

• 61% rely on spreadsheets or manual tracking for machine identity management.
• 53% of organisations have experienced a security incident directly related to machine identity management failures.
• Certificate expiry is the leading cause of outages for 45% of organisations.

Questions worth separating out

Q: How should security teams govern certificate lifetimes in machine identity programmes?

A: Security teams should align certificate lifetimes with their ability to renew, reissue, and revoke at scale.

Q: Why do private keys need separate controls from certificate policy?

A: Because a certificate only authenticates trust if the private key remains secret.

Q: What breaks when certificate revocation is difficult to reach operationally?

A: Revocation becomes ineffective if devices cannot reliably check status through CRL or OCSP paths.

Practitioner guidance

• Shorten certificate lifetimes to match replacement capability Set validity periods only after confirming that reissue, renewal, and rollback are automated across the environments where certificates are used.
• Move private keys out of plaintext storage Use encrypted key stores or hardware-backed protection such as TPMs for device and application keys.
• Test revocation in offline and intermittent environments Validate CRL caching, OCSP reachability, and fallback behaviour on devices that cannot depend on constant internet access.

What's in the full article

DigiCert's full blog post covers the operational PKI detail this post intentionally leaves for the source:

• The article’s deeper explanation of certificate validity trade-offs for product and device design
• The detailed CRL and OCSP discussion, including how revocation can work in intermittent connectivity scenarios
• The practical examples around private key storage, hardware protection, and replacement planning
• The SHA-1 deprecation example and why algorithm transitions change PKI governance decisions

👉 Read DigiCert's article on mitigating risk in certificate practices →

Certificate validity and revocation: what IAM teams need to get right?

Explore further

View Full Forum →  |  NHI Foundation Course →