IoT authentication and PKI: what IAM teams need to know

TL;DR: IoT security fails when devices, cloud services, and users cannot be reliably authenticated, and DigiCert argues that PKI remains the scalable way to provision trusted credentials, protect data in transit, and manage billions of device identities across heterogeneous environments. The governance challenge is not certificate theory but lifecycle control, because device trust breaks when discovery, provisioning, expiration, and revocation are handled inconsistently.

NHIMG editorial — based on content published by DigiCert: PKI: Solving the IoT Authentication Problem

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams authenticate IoT devices at scale?

A: Use PKI with per-device certificates, centralized issuance, and automated renewal so authentication does not rely on shared secrets or manual provisioning.

Q: Why do IoT programmes need certificate lifecycle management?

A: Because device identity is only useful if it can be discovered, rotated, renewed, and revoked on time.

Q: What breaks when connected devices use weak authentication?

A: Attackers can impersonate devices, tamper with messages, suppress alarms, or move from one trusted system to another through a compromised trust relationship.

Practitioner guidance

• Inventory device identities before expanding PKI rollout Build a complete register of connected devices, services, and certificate-bearing systems so discovery and provisioning are tied to known assets rather than ad hoc enrollment.
• Automate certificate lifecycle events Tie issuance, renewal, expiration alerts, and revocation to platform workflows so certificates do not outlive the devices or services they protect.
• Separate trust by device class and environment Use distinct policies for medical devices, industrial systems, edge services, and public-facing endpoints so one compromise does not imply universal trust.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Certificate deployment scenarios for distribution platforms, direct-to-device provisioning, and manufacturing signing
• Operational guidance on REST-based certificate APIs, OCSP checking, and cloud-based certificate management at scale
• The article's practical discussion of certificate expiration, unauthorized certificates, and configuration gaps
• Examples of how the platform is used across connected medical devices, industrial systems, smart homes, and cities

👉 Read DigiCert's post on PKI for IoT device authentication →

IoT authentication and PKI: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →