Notifications
Clear all
Topic starter
25/06/2026 3:00 pm
TL;DR: 54% of enterprise respondents lacked policy enforcement and remediation for keys and certificates, while another 54% did not know how many they had, where they were, or how they were used, according to DigiCert citing Ponemon Institute data. That combination turns certificate sprawl into a governance failure, not just an operational one.
NHIMG editorial — based on content published by DigiCert: Securing Enterprise Keys and Certificates Should Be a Priority
By the numbers:
- 54% admit to having a lack of policy enforcement and remediation for keys and certificates.
- 54% of security professionals say they don’t even know how many keys and certificates they have, where they are located, or how they are used.
Questions worth separating out
Q: How should security teams govern keys and certificates across large environments?
A: Treat keys and certificates as lifecycle-managed trust assets with explicit owners, usage records, renewal dates, and revocation paths.
Q: Why do unmanaged certificates create more than an outage risk?
A: Because a certificate is tied to a private key that proves identity, unmanaged certificates can enable impersonation, decryption, or fraudulent trust relationships.
Q: What do security teams get wrong about private key protection?
A: Teams often focus on encryption status and forget the operational controls around storage, ownership, and access.
Practitioner guidance
- Create a complete key and certificate inventory Map every certificate to an owner, system, renewal date, and usage path so that no trust anchor remains unattributed or orphaned.
- Separate issuance, storage, and revocation controls Assign different operational responsibilities for certificate creation, private key storage, and retirement so that one team cannot silently approve all three states.
- Move high-value private keys into hardware-backed storage Use secure cryptographic hardware for the certificates that protect customer traffic, code signing, and other critical trust paths.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The article's full discussion of policy enforcement gaps across enterprise key and certificate estates.
- The practical reasons the article recommends cryptographic hardware for key storage in critical environments.
- The operational cost discussion around replacing compromised certificates across affected platforms and services.
- The source article's examples of how certificate trust failures can affect customer confidence and compliance obligations.
👉 Read DigiCert's analysis of enterprise key and certificate security →
Keys and certificates: what governance teams are missing?
Explore further
25/06/2026 4:17 pm
Enterprise certificate governance fails first at visibility, not cryptography: The article shows that organisations cannot secure what they cannot inventory, and the 54% figure for lost visibility is the real warning sign. In practice, keys and certificates behave like non-human identities with hidden ownership, hidden usage, and hidden renewal risk. The practitioner conclusion is that inventory quality is the control surface, not a reporting exercise.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How do organisations know whether certificate governance is actually working?
A: Look for complete inventory coverage, named ownership, timely renewal, documented revocation, and evidence that expired or unused certificates are removed quickly. If teams cannot answer where a certificate lives or who uses it, governance is not working, even if the platform reports that encryption is enabled.
👉 Read our full editorial: Enterprise key and certificate governance still fails without inventory
