TL;DR: Private certificate management is less about issuing X.509 certificates and more about operating trust across root keys, intermediates, revocation, inventory, and renewal, according to Infisical’s guide. The operational model only works when certificate lifecycle management is automated enough to keep pace with shrinking lifetimes and audit expectations.
NHIMG editorial — based on content published by Infisical: The Complete Guide to Private Certificate Management and Internal PKI
By the numbers:
- The maximum lifetime of a public TLS certificate is now 200 days, down from 398, and the CA/Browser Forum's approved schedule takes it to 100 days in March 2027 and 47 days in March 2029.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should teams govern private certificates across a hybrid environment?
A: Treat certificates as governed identities, not just cryptographic artifacts.
Q: Why do short-lived certificates force changes in PKI operations?
A: Shorter certificate lifetimes reduce the time an exposed certificate can be abused, but they also eliminate the margin for manual renewal.
Q: What breaks when certificate revocation is not reliable?
A: Revocation stops being a real control when clients cannot reach status services or when operators cannot prove which systems consume which trust chain.
Practitioner guidance
- Map every certificate trust chain Build an inventory of roots, intermediates, leaf certificates, trust stores, and dependent systems so you can see where trust is actually anchored and where revocation will matter most.
- Scope issuing CAs by purpose Separate issuance by environment, certificate type, or business unit so a problem in one branch does not become a universal trust event.
- Automate renewal before lifetimes shrink further Use ACME, API-driven enrollment, or platform integrations to renew and replace certificates without waiting for humans.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- Root and intermediate CA ceremony guidance for building a two-tier PKI model
- Step-by-step CSR, profile, and issuance examples for internal TLS certificates
- Practical revocation options, including CRLs, OCSP, and short-lived certificate trade-offs
- Implementation paths for ACME, API-driven enrollment, and device provisioning workflows
👉 Read Infisical's guide to building and running an internal PKI →
Private certificate management: where do PKI teams still break it?
Explore further
Private certificate management is identity governance for machine trust, not a side task for infrastructure teams. Certificates are how workloads, devices, and internal services prove who they are, so lifecycle failure in PKI is an identity failure. That means ownership, scope, renewal, revocation, and auditability need the same governance attention as human access or API key management. Practitioners should treat certificate operations as part of the broader identity programme.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why certificate and workload identity inventories need continuous ownership rather than periodic clean-up.
A question worth separating out:
Q: Who should own certificate lifecycle governance in the enterprise?
A: Ownership should sit with the identity or platform function that can coordinate trust policy, automation, and audit evidence across workloads and devices. Security can set control requirements, but PKI governance fails when no team owns root protection, issuance scope, trust-store distribution, and revocation validation as one system.
👉 Read our full editorial: Private certificate management demands lifecycle control, not just PKI