TL;DR: Digital certificates underpin website security, email, documents, software, and regulated systems, while Apple’s proposed 47-day TLS validity would force eight times more renewal activity than today, according to IdenTrust. That shifts certificate management from a PKI task into a standing NHI governance problem where lifecycle discipline matters more than one-time issuance.
NHIMG editorial — based on content published by IdenTrust: What Is a Digital Certificate? A Beginner's Guide
Questions worth separating out
Q: How should teams manage digital certificate renewals as lifetimes get shorter?
A: Teams should shift certificate renewal from an ad hoc infrastructure task to a governed identity workflow.
Q: Why do short-lived certificates create governance pressure for IAM teams?
A: Short-lived certificates compress the time available to detect, approve, deploy, and validate replacements.
Q: What breaks when certificate ownership is unclear?
A: When ownership is unclear, renewal becomes a scavenger hunt and revocation becomes unreliable.
Practitioner guidance
- Inventory every certificate as an identity asset Record owner, issuing authority, expiry date, deployment location, and business criticality for each certificate so renewal becomes a governed workflow rather than an emergency response.
- Automate renewal for certificates with external dependencies Prioritise certificates that secure customer-facing services, regulated systems, and internal trust chains, then automate renewal, validation, and rollback checks before expiry windows close.
- Link certificate governance to NHI lifecycle controls Apply the same inventory, rotation, and revocation discipline used for service accounts and API keys, and use the NHI Lifecycle Management Guide to shape the operating model.
What's in the full article
IdenTrust's full article covers the practical certificate context this post intentionally leaves at a higher level:
- Plain-language overview of certificate types for websites, email, documents, software, and regulated systems
- Discussion of legal validity, operational efficiency, and compliance considerations tied to certificate use
- Common certificate lifecycle challenges that teams face when selecting and maintaining trust credentials
- Practical starting steps for organisations beginning or refreshing their certificate programme
👉 Read IdenTrust's guide to digital certificates and trust online →
Digital certificate lifecycle: is your IAM programme ready for 47-day renewals?
Explore further
Digital certificates should be treated as governed non-human identities, not just cryptographic objects. Their risk profile is defined by who owns them, how they are rotated, and whether revocation is reliable. The article’s lifecycle emphasis is a reminder that identity governance breaks down when certificates sit outside the same operational discipline as other NHIs. Practitioners should fold certificates into the same control plane used for workload identity and secret management.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often lifecycle control gaps start with missing inventory rather than missing policy.
A question worth separating out:
Q: Which framework should teams use for certificate lifecycle governance?
A: Teams should align certificate governance with NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls, then map certificates into their wider NHI lifecycle process. That approach gives identity teams a structured way to handle inventory, access control, and recovery when trust credentials fail.
👉 Read our full editorial: Digital certificate lifecycle is becoming an identity governance problem