Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PKI first 90 days: what identity teams need to operationalise


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: PKI is presented as a 90-day governance and architecture programme, not a simple technology rollout, with emphasis on certificate policy, CA hierarchy, HSM-backed key storage, and lifecycle management across issuance, renewal, and revocation according to eMudhra. The real security issue is that certificate trust fails when ownership, monitoring, and offboarding are weak, making identity lifecycle discipline the deciding factor.

NHIMG editorial — based on content published by eMudhra: how to build a PKI foundation in the first 90 days

Questions worth separating out

Q: How should teams govern certificate lifecycles in a PKI programme?

A: Treat certificates as governed identity assets with named ownership, expiry tracking, and explicit revocation authority.

Q: Why does PKI need to be part of identity governance?

A: PKI is an identity control because certificates represent trusted machine and human credentials.

Q: What breaks when certificate revocation is difficult to reach operationally?

A: Revocation becomes ineffective if devices cannot reliably check status through CRL or OCSP paths.

Practitioner guidance

  • Define certificate ownership across teams Name the responsible team for issuance, renewal, revocation, and monitoring before certificates enter production, and document escalation paths for expiry and unauthorized requests.
  • Map certificate lifecycle controls to production risk Track where certificates are issued, how validity periods are set, and how revocation is triggered so that expired or compromised certificates do not remain trusted.
  • Keep private keys under hardened custody Use Hardware Security Modules for root and issuing CA key material, and limit signing operations to approved systems with auditable access.

What's in the full article

eMudhra's full article covers the operational detail this post intentionally leaves for the source:

  • A week-by-week PKI rollout sequence from planning through production go-live
  • Specific certificate policy and certification practice statement considerations for enterprise deployment
  • The BTC case study showing how a national-grade CA environment was assembled and governed
  • Operational examples of certificate issuance, renewal, and revocation training in production settings

👉 Read eMudhra's PKI deployment roadmap and certificate lifecycle guide →

PKI first 90 days: what identity teams need to operationalise?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Certificate lifecycle management is the real control plane of PKI. The article correctly treats issuance, renewal, revocation, and expiry as operational disciplines rather than administrative afterthoughts. That is the right framing for identity teams because certificates are credentials, and credentials without lifecycle governance become invisible risk. Practitioner conclusion: treat certificate lifecycle management as a standing governance process, not a deployment milestone.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means identity teams often lack the inventory discipline needed for certificate and secret governance.

A question worth separating out:

Q: How do HSMs change PKI risk management?

A: HSMs reduce the chance that private keys are copied or exposed on general-purpose systems. For PKI teams, that means key custody becomes a defined control point with better auditability and less operational drift. They do not replace lifecycle governance, but they materially strengthen the trust boundary around certificate signing.

👉 Read our full editorial: PKI deployment is a certificate lifecycle governance problem



   
ReplyQuote
Share: