The Expiring Trust Model: CISOs Must Rethink PKI in the Era of Short-Lived Certificates and Machine Identity

Written by David Morimanno , Field CTO - North America at Xalient

3rd July 2025

A silent and significant shift is occurring in the security foundation of the modern enterprise. It’s not a new malware strain or a novel zero-day exploit, it is the digital certificate that so many organizations have relied on for decades as a critical element of trust and security in digital communications.

New mandates from the CA/Browser Forum, a major increase in non-human identities, and the drive for quantum computing call for more stringent measures to protect organizations. This has turned the spotlight onto modernizing Public Key Infrastructure (PKI) and the management of certificates to future-proof digital trust against operational complexity and post-quantum disruption.

By March 2026, TLS certificates issued by public certificate authorities will no longer be valid for 398 days. Instead, their maximum lifespan will decrease to 200 days, then to 100 days by 2027, and finally to 47 days by 2029. This reducing timeframe will change how companies manage trust as they will have to evaluate domain ownership more frequently and automate the issuing, renewal and revocation of thousands of certificates. While this may seem like an administrative nightmare, it also becomes a major concern for CISOs as it changes the attack surface.

The risk of the digital certificate

Today digital certificates secure a vast and growing web of machine identities from cloud workloads, APIs, containers, IoT devices, autonomous AI agents and more. These identities authenticate, authorize, encrypt and sign on behalf of business-critical applications, often without human oversight. Each one is powered by a digital certificate, which means that each one also becomes a potential point of failure if that certificate is forgotten, misconfigured or compromised.

Unfortunately, many organizations use outdated tools and methods to manage this environment. As such, security teams are unaware of how many certificates they have, where they are or what systems use them. Further, certificates expire without warning, resulting in application outages, service disruptions or unnoticed gaps in security coverage. It is particularly concerning that expired certificates on IoT devices or SaaS connectors leave entire segments of infrastructure vulnerable, as they go unmonitored, unaudited and are left exposed to exploitation.

The reality is stark: in the absence of automation, governance and visibility, shortened certificate lifecycles become an operational liability.

The challenge for regulated sectors

While the risk associated with certificates applies to all companies, it is a greater challenge for businesses operating in regulated sectors such as healthcare, where certificates must often be tied to national digital identity systems.

In several countries, healthcare providers and services are now required to issue certificates bound to a National Health Identifier (NHI). These certificates are used for authentication, e-signature and encryption in health data exchanges and must adhere to complex issuance workflows, usage constraints and revocation processes mandated by government frameworks.

Managing these certificates alongside public TLS certificates introduces operational complexity that few legacy PKI solutions were designed to handle in today’s dynamic and cloud-native environments. Legacy PKI tools typically lack automation, centralized visibility and integration with modern DevOps workflows, making it difficult to manage certificates at scale. This could lead to outages, security vulnerabilities and compliance risks.

The case for post-quantum cryptography

The urgency of this mandate is heightened by the impending cryptographic shift driven by the rise of quantum computing. Transitioning to post-quantum cryptography (PQC) will require organizations to implement new algorithms quickly and securely. Frequent certificate renewal cycles, which once seemed a burden, could now become a strategic advantage. When managed through automated and agile certificate lifecycle management, these renewals provide the flexibility to rapidly replace compromised keys, rotate certificate authorities or deploy quantum-safe algorithms as they become standardized.

Despite the need for robust certificate management, many organizations struggle to achieve it as the growth of certificate sprawl exceeds their ability to maintain visibility. Additionally, PKI architectures are often fragmented across various departments, regions and use cases. Governance remains inconsistent due to the lack of centralized enforcement of certificate policies and key generation standards. Hybrid infrastructures that span cloud platforms introduce a range of complex integration requirements.

A further barrier to adopting a unified, automated approach is legacy tools, fragile scripts and vendor lock-in. Compounding these issues is a shortage of specialized talent necessary to design and maintain secure, scalable and quantum-ready PKI systems.

Future-ready protection

For CISOs, the response to this convergence of risk and complexity must be strategic and holistic. Beyond complying with a new certificate mandate, the goal must be to modernize the entire model of machine identity, building a resilient and future-ready foundation of trust.

The first step in this journey is visibility. Organizations must invest in certificate discovery and classification tools that map the entire digital landscape from public TLS certificates to internally issued device certificates to shadow PKI instances embedded within cloud environments. Visibility is key and without it, automation is misdirected, and governance becomes guesswork.

Next, leadership must prioritize automation as a critical aspect of security. The traditional lifecycle for managing certificates, which relies on requesting, issuing, deploying, renewing and revoking, must be coordinated through integrated platforms capable of efficiently managing thousands of certificates. Manual processes, even when supplemented with spreadsheets and scripts, cannot scale to meet the rapid pace of 47-day renewals. Additionally, automation minimizes the risk of outages and ensures that revocation, re-issuance and replacement can be executed programmatically in the event of a security compromise.

At the same time, governance must adapt. Organizations should establish and update their certificate policies and Certificate Practice Statements (CP/CPS), to align with both CA/Browser Forum Baseline Requirements and sector-specific mandates, such as NHI frameworks. These documents should clearly define ownership, validation procedures, key usage constraints, and revocation procedures, and they need to be updated to reflect emerging standards in post-quantum cryptography.

Resilience is the goal

Ultimately, success in this new environment will be measured by resilience. The organizations that thrive will be those that achieve holistic visibility, automated lifecycle management, consistent governance, and quantum-ready agility, without compromising uptime, security or compliance.

The TLS certificate, which for many years has been regarded as a tool for web encryption, is now the root of trust for every digital interaction. As its lifespan shrinks and its scope expands, the way we manage certificates must transform. For CISOs, this is not a future problem, the time to re-architect digital trust is now.

Search

Categories

HIGHLIGHTS

Follow us

Linkedin X-twitter Facebook-f Youtube

David Morimanno – Field CTO – North America at Xalient

DJ webp

DJ helps clients develop IAM strategies that work in complex organisations. He’s an active practitioner and strategist, with nearly 20 years of hands-on experience in implementing market-leading IAM technologies across IGA, PAM, and Access Management. He specialises in building IAM Programs, administering IAM tools, and developing long-term strategies to support organisational objectives and business enablement.   

DJ has a passion for cybersecurity.  He is a trusted advisor for Fortune 500 clients and has helped industry executives successfully execute large-scale IAM programs through deployment.  He has extensive experience in financial services, energy, education, manufacturing, and healthcare industries.   

Speak to an Expert

Explore the power of Xalient Solutions

Get in Touch
close menu icon

Subscribe to our Newsletter!