TL;DR: PKI underpins digital certificates, trust chains, encryption, revocation, and authentication across organisations, devices, and services, but implementation still breaks down when key management, certificate lifecycle control, and audit discipline are weak, according to GlobalSign. The core issue is not PKI theory; it is whether identity teams can govern certificate trust at scale without creating hidden operational risk.
NHIMG editorial — based on content published by GlobalSign: PKI fundamentals, components, benefits, and best practices for implementation
Questions worth separating out
Q: How should security teams govern certificate lifecycle in PKI environments?
A: Security teams should treat certificates as governed identities with named owners, renewal triggers, and revocation criteria.
Q: Why do revoked certificates still create security risk?
A: Revoked certificates remain risky because trust can persist in caches, misconfigured validation paths, or downstream systems that do not check status properly.
Q: What breaks when certificate ownership is unclear?
A: When ownership is unclear, renewal, revocation, and incident response all slow down.
Practitioner guidance
- Map certificate ownership to identity inventory Create a complete inventory of certificates, issuing authorities, owning teams, renewal dates, and revocation paths so each certificate is tied to an accountable service or business process.
- Automate renewal with policy guardrails Use API-driven automation for certificate renewal only after defining approval rules, service ownership, and exception handling for high-risk certificates.
- Test revocation workflows under change events Validate that CRL and OCSP checks work when keys are compromised, services are decommissioned, or third-party trust relationships change.
What's in the full article
GlobalSign's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanations of how CSR, CA, and RA flows work in practice.
- Detailed breakdowns of CRL and OCSP handling for certificate status checks.
- Examples of PKI use across SSL/TLS, S/MIME, IoT, and DevOps environments.
- Best-practice guidance for managed PKI and certificate automation.
👉 Read GlobalSign's full guide to PKI management and digital identity trust →
PKI governance for digital identity trust: what teams miss?
Explore further
PKI is now identity governance infrastructure, not a standalone security layer. The article correctly frames certificates as the basis for trust, but the operational reality is broader: PKI governs how machines, services, and applications prove who they are at runtime. That makes certificate lifecycle control part of identity architecture, alongside IAM, NHI governance, and access review discipline. Practitioners should treat certificate inventory as identity inventory.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How do organisations reduce manual PKI mistakes without losing control?
A: Organisations reduce manual mistakes by automating issuance and renewal while keeping policy, inventory, and revocation decisions under governance. Automation should remove repetitive work, not accountability. The best outcome is central visibility into certificates with explicit exceptions for high-risk trust relationships.
👉 Read our full editorial: PKI governance is still the backbone of digital identity trust