Notifications
Clear all
Topic starter
12/06/2026 10:21 pm
TL;DR: PKI authentication has supported encrypted, certificate-based trust for decades, but its security still depends on disciplined certificate lifecycle management, private-key protection, and reliable validation, according to Axiad. The governance burden, not the cryptography itself, is what determines whether PKI strengthens identity assurance or becomes a brittle dependency.
NHIMG editorial — based on content published by Axiad: How Does PKI-Based Authentication Work?
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern PKI across cloud and on-premise systems?
A: Security teams should govern PKI as part of the wider identity estate, not as a standalone crypto service.
Q: Why do certificates still create identity risk even when the cryptography is sound?
A: Certificates still create identity risk because the main failure mode is operational, not mathematical.
Q: What do teams get wrong about certificate lifecycle management?
A: Teams often treat certificate renewal as a maintenance task instead of an identity control.
Practitioner guidance
- Inventory certificate authorities and trust paths Map every issuing authority, intermediate certificate, and relying application so you know where trust originates and where it is consumed.
- Tie renewal and revocation to ownership Assign a business and technical owner to each certificate family so renewal, replacement, and revocation cannot sit in an unknown queue.
- Protect private keys as high-impact secrets Store private keys in hardened controls, restrict export, and review where keys are copied into code, config, CI/CD, or device images.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how PKI validation works in web, email, and document workflows.
- Practical advantages and disadvantages of PKI implementation from an administrator's perspective.
- Discussion of certificate-as-a-service versus internally managed PKI operations.
- Use cases for SSL, IoT, and private networks that show where PKI is commonly deployed.
👉 Read Axiad's explanation of how PKI authentication works →
PKI authentication governance: are your certificates and keys under control?
Explore further
13/06/2026 1:03 am
PKI is a trust distribution system, not a substitute for identity governance. Certificates can prove possession of a private key, but they do not by themselves ensure the identity is still authorised, tracked, or properly offboarded. Once certificates are widely deployed across applications, devices, and services, the real risk moves from encryption to governance drift. Practitioners should treat PKI as one layer inside a larger identity control model, not as a standalone answer.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How do you know if PKI is actually improving identity security?
A: You know PKI is improving identity security when you can inventory certificates, prove key custody, and revoke trust quickly without breaking dependent services. If teams cannot answer where certificates live, who owns them, or how fast revocation propagates, PKI is providing assurance in theory but not in operations.
👉 Read our full editorial: PKI authentication still depends on certificate governance and key control
