PKI and zero trust: are your identity controls verifying every connection?

TL;DR: Zero Trust depends on public key infrastructure, MFA, and SSO to verify every user, device, service, and document at each connection, making continuous verification the basis of digital trust, according to DigiCert. The governance question is no longer whether to trust identities less, but whether current controls can prove identity reliably across every access path.

NHIMG editorial — based on content published by DigiCert: Zero Trust and PKI as the foundation of digital trust

Questions worth separating out

Q: How should security teams implement Zero Trust for both human and machine identities?

A: Security teams should use Zero Trust as an identity verification model, not just a network segmentation model.

Q: Why do service and workload identities need PKI in Zero Trust environments?

A: Service and workload identities often need to authenticate without a human present, which makes passwords and one-time logins a poor fit.

Q: What breaks when certificate lifecycle management is weak?

A: Weak certificate lifecycle management creates stale trust, expired access, and revocation gaps.

Practitioner guidance

• Map trust points to cryptographic identity proof Identify every place where users, devices, services, and documents are accepted on the basis of a trust decision.
• Align MFA and SSO with workload identity controls Use MFA and SSO for human access, but pair them with certificate-based identity for workloads, services, and remote systems that must authenticate without human interaction.
• Put certificate lifecycle under governance Track issuance, renewal, rotation, expiration, and revocation as governed identity events.

What's in the full article

DigiCert's full article covers the operational detail this post intentionally leaves for the source:

• How DigiCert positions PKI inside a Zero Trust architecture for apps, services, and devices
• The operational role of certificate lifecycle management in centralizing visibility and control
• The vendor's explanation of how MFA and SSO complement certificate-backed verification
• The product framing around trust lifecycle management for identity and access environments

👉 Read DigiCert's overview of Zero Trust, PKI, and digital trust →

PKI and zero trust: are your identity controls verifying every connection?

Explore further

View Full Forum →  |  NHI Foundation Course →