Notifications
Clear all
Topic starter
25/06/2026 2:50 pm
TL;DR: Matter device launches are being framed as a certification and certificate-lifecycle problem, with claims of up to 65% faster certification, 50% less DevSecOps overhead, and zero exposed keys when issuance, rotation, and revocation are handled in a managed workflow, according to DigiCert. The governance lesson is that device trust breaks fastest where teams still treat PKI as an engineering side task rather than an identity programme.
NHIMG editorial — based on content published by DigiCert: DigiCert + Beechwoods Embedded Experts Device Trust
By the numbers:
- Beechwoods’ average: up to 65% faster cycles for IoT OEMs.
- 50% less DevSecOps overhead (PKI, key management, and OTA workflows in one platform)
Questions worth separating out
Q: How should teams govern certificate-based device identities in IoT programmes?
A: Treat device certificates as non-human identities with an owner, lifecycle, and revocation path.
Q: Why do IoT certificates become a governance risk when they are not rotated?
A: Unrotated certificates extend trust far beyond the point where their original context remains valid.
Q: What breaks when device certificate revocation is handled manually?
A: Manual revocation breaks at scale because devices move faster than ticket-based processes can keep up.
Practitioner guidance
- Map Matter certificates into your NHI inventory Treat each device certificate as a governed identity record with an owner, purpose, issuance source, expiry date, and revocation path.
- Automate certificate rotation and revocation workflows Replace manual renewal and revocation steps with policy-driven workflows that can operate across constrained devices and large fleets.
- Require telemetry for certificate health and anomalies Track revocation status, expiry proximity, failed validation, and unusual device certificate behaviour in one operational view.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- How DigiCert TrustCore SDK and intermediate CA handling are applied in embedded Matter environments
- The certificate provisioning and lifecycle workflow behind per-device issuance, rotation, and revocation
- The partner-supported certification process, including CSA testing and paperwork handling
- The telemetry and FIPS-validated HSM handling described for device certificate health and protection
👉 Read DigiCert's post on Matter certification and device trust for IoT OEMs →
Matter certification and PKI lifecycle for IoT devices?
Explore further
25/06/2026 4:01 pm
Device certificates are non-human identities, not mere deployment artifacts. When OEMs treat certificates as a build step instead of an identity object, they miss the governance reality that each device carries a lifecycle of issuance, rotation, revocation, and audit. That is the same structural problem NHIs create in cloud and SaaS environments, only shifted into embedded systems. The practitioner conclusion is to govern device certificates with identity discipline, not firmware-only thinking.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: What should security teams look for in a certificate trust programme for Matter devices?
A: Look for automatic issuance, rotation, revocation, telemetry, and clear ownership across the device lifecycle. A sound programme should show where identities live, how they are validated, and how expired or compromised certificates are removed without manual intervention. That is what turns PKI into governance rather than overhead.
👉 Read our full editorial: Matter certification and certificate lifecycle for IoT OEMs
