TL;DR: Digital certificate usage and transaction volumes have risen 30% since 2021, while poor storage, duplicate copies on devices, weak auditing, and lifecycle gaps continue to expose organisations to identity theft, key theft, forgery, and service disruption, according to Vintegris. The governance problem is no longer certificate availability but certificate custody, traceability, and revocation discipline.
NHIMG editorial — based on content published by Vintegris: Hidden Risks in the Use of Digital Certificates
By the numbers:
- Since 2021, the number of transactions and digital certificates managed by organizations has increased by 30%.
Questions worth separating out
Q: How should security teams govern digital certificates across multiple devices?
A: Security teams should treat certificates as governed identities, not portable files.
Q: Why do digital certificates create compliance and audit risk when they scale?
A: Certificates become a compliance risk when organisations cannot trace who used them, where they were stored, or when they were revoked.
Q: What breaks when certificate renewal and revocation are handled manually?
A: Manual renewal and revocation usually fail first at the edges, where certificates are distributed across teams, devices, and business processes.
Practitioner guidance
- Map certificate inventory to authoritative owners Build a single inventory that links each certificate to a business owner, technical owner, issuing authority, and current usage context.
- Eliminate unmanaged local copies Prohibit certificate storage on shared or personal devices unless the copy is explicitly controlled, logged, and revocable.
- Automate expiry, renewal, and revocation workflows Set renewal thresholds and revocation triggers that are tied to the certificate owner and service dependency.
What's in the full article
Vintegris' full article covers the operational detail this post intentionally leaves for the source:
- How centralized certificate custody reduces duplicate copies on shared and mobile devices.
- The specific risks tied to certificate migration, insecure transmission, and weak storage practices.
- How evidence of use supports auditability, compliance, and dispute handling in signed workflows.
- The practical role of qualified trust service providers in certificate issuance and custody.
👉 Read Vintegris' analysis of hidden risks in digital certificate management →
Digital certificate sprawl: where are your custody controls failing?
Explore further
Certificate custody is the real control plane, not certificate storage. The article’s central failure mode is not that certificates exist, but that they are copied, moved, and reused without clear authoritative control. Once multiple copies exist on endpoints and shared devices, the organisation can no longer prove which instance is legitimate. Practitioners should treat certificate custody as an identity governance issue, not a file-management task.
A few things that frame the scale:
- 66% report that managing machine identities requires significantly more manual intervention compared to human identity management, according to The Critical Gaps in Machine Identity Management report.
- 57% of organisations lack a complete inventory of their machine identities, which is why certificate sprawl so often becomes an ownership problem before it becomes a technical one.
A question worth separating out:
Q: Who is accountable when a digitally signed document is forged or misused?
A: Accountability sits with the organisation that issued, stored, and governed the certificate, not just the person who used it. If custody is unclear or revocation is delayed, the organisation cannot prove control over the signing authority. That is why certificate governance belongs in identity and compliance oversight, not only in infrastructure operations.
👉 Read our full editorial: Digital certificate sprawl is turning trust services into security risk