Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk What do organisations get wrong about HTTPS and…
Governance, Ownership & Risk

What do organisations get wrong about HTTPS and SSL certificates?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Many teams assume HTTPS is a one-time deployment choice rather than a lifecycle commitment. In practice, certificates require inventory, ownership, renewal, and revocation discipline. If those controls are missing, the organisation can end up with expired certificates, orphaned trust, and unnecessary operational disruption.

Why This Matters for Security Teams

https is often treated as a simple encryption checkbox, but the real risk sits in certificate lifecycle control, trust distribution, and ownership. When teams do not know where certificates are issued, who owns them, or how they are revoked, expired trust becomes an outage vector and a security blind spot. That matters even more for machine identities, where certificates may protect service accounts, APIs, and internal workloads at scale.

NHI Management Group research shows that 57% of organisations lack a complete inventory of their machine identities, and 61% still rely on spreadsheets or manual tracking for machine identity management in the Critical Gaps in Machine Identity Management report by SailPoint. That pattern explains why certificate programs fail: the certificate is not the problem by itself, the missing operational discipline is. Current guidance from the NIST Cybersecurity Framework 2.0 emphasises asset visibility, protection, and recovery, all of which depend on knowing what certificates exist and how they are governed.

In practice, many security teams discover certificate sprawl only after a public-facing service fails, rather than through intentional inventory and renewal governance.

How It Works in Practice

A mature HTTPS program treats certificates as managed security assets, not static configuration. That means each certificate should have a named owner, a defined issuance source, documented purpose, and a renewal path with alerting well before expiry. For internal services, the same discipline applies to mTLS and workload certificates, where short-lived issuance is often safer than long-lived trust. The operational goal is simple: reduce the time a certificate remains valid beyond its useful purpose, and eliminate unclear ownership.

Practitioners should align certificate work to a full lifecycle:

  • Inventory every certificate, including public, internal, and service-to-service use cases.
  • Assign ownership so renewals and revocation are not anonymous tasks.
  • Automate renewal and replacement where possible, with clear fallback procedures.
  • Monitor for drift, expired roots, orphaned endpoints, and shadow certificates.
  • Revoke and replace certificates quickly when trust is compromised.

This becomes especially important for non-human identities, where certificates often secure the identity of workloads rather than people. The Ultimate Guide to NHIs — What are Non-Human Identities explains why machine identities scale faster than human identities and why visibility is so weak in practice. For implementation patterns, the IETF standard RFC 6125 is still relevant for hostname verification expectations, while RFC 5280 defines core certificate and path validation behaviour.

These controls tend to break down in highly distributed environments with frequent ephemeral workloads because manual renewal processes cannot keep pace with certificate issuance volume.

Common Variations and Edge Cases

Tighter certificate control often increases operational overhead, requiring organisations to balance stronger trust hygiene against deployment speed and service complexity. That tradeoff is real in environments with Kubernetes, service meshes, edge devices, or third-party integrations, where certificate lifecycles may be measured in hours rather than months. Best practice is evolving, but current guidance suggests short-lived certificates, automated rotation, and workload identity where possible.

Not every TLS deployment should be handled the same way. Public websites, internal APIs, partner connections, and device fleets all create different renewal and revocation risks. For example, an externally facing certificate outage is usually obvious quickly, but a stale internal certificate can silently weaken trust for months. Likewise, revocation is often slower and less reliable than teams expect, so expiry prevention matters more than revocation theory in day-to-day operations.

Security teams also get caught by false assumptions about SSL terminology. The industry still says SSL informally, but operationally the concern is modern TLS certificate governance, chain validation, and identity assurance. For that reason, organisations should focus less on labels and more on whether certificates are issued from trusted sources, monitored continuously, and removed when no longer needed. In large estates, the hardest failures are not the internet-facing ones, but the forgotten internal certificates embedded in automation, CI/CD, and service-to-service trust paths.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers certificate rotation and lifecycle gaps that create expired trust.
NIST CSF 2.0PR.AAIdentity and authentication controls depend on valid certificate governance.
NIST Zero Trust (SP 800-207)SC-23Zero trust relies on continuous validation of workload and service identity.
NIST AI RMFAI RMF governance principles apply to automated certificate decisioning and oversight.
CSA MAESTROMAESTRO helps structure trust and identity controls for autonomous workloads.

Map certificate ownership, issuance, and renewal to identity assurance and recovery processes.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org