Skip to main content
← Back to Insights
Insights

Stop Managing Certificates. Start Owning Trust.

March 24, 2026 · [cyphrs] Team · 8 min read

Certificate management is becoming a full-time job.

What used to be a predictable, annual task is now happening every few weeks–and it's getting worse.

Certificate lifetimes are shrinking. Validation windows are collapsing. And the operational burden is quietly compounding.

Most teams respond the same way:

automate renewals
deploy Certbot or ACME clients
add monitoring and alerts

But this assumes something fundamental:

That every system should be using certificates in the same way.

That assumption is rarely questioned.

It should be.

The Ticking Clock No One Controls

Public certificate lifetimes have been falling for years. What was once ~398 days became 90–and the industry is now moving toward ~47-day certificates. Each reduction compounds the operational cost of keeping systems alive.

At the same time, domain validation reuse windows are shrinking to days–not months.

Which means every renewal increasingly depends on:

DNS being correct
Validation endpoints reachable
Automation behaving perfectly

At small scale, this is manageable. At enterprise scale, it becomes something else entirely:

A system that is always on the edge of failure

3:00 AM outages caused by expired certificates aren't rare anymore. They're predictable.

This Isn't an Operations Problem

At first glance, this looks like an automation problem.

It isn't.

It's an architectural one.

The Internet's Trust Model Was Never Designed for You

Public Certificate Authorities exist to solve a specific problem: enabling trust between parties who have never met. When you visit a website, your browser trusts the certificate because a CA vouched for the domain. That model is built on three assumptions:

Unknown clients connecting to unknown servers
No prior trust relationship
No reliable way to enforce revocation

Because revocation is inconsistent and often fails open, the industry compensates by shortening certificate lifetimes.

If you can't reliably revoke trust, you expire it faster.

That makes sense–for browsers.

Your Systems Are Not the Internet

Your internal infrastructure operates in a completely different context:

Services are known and inventoried
Identities can be defined and assigned
Policy can be enforced at every connection
Environments are controlled and observable

And yet, most organisations apply the exact same trust model internally.

This is where things start to break.

Public Trust Model Leakage

When public trust assumptions leak into internal systems, the consequences are predictable:

What Happens When Public Certificates Run Internal Services

Public Trust Model Leakage
  • internal APIs rotating certificates every few weeks
  • Kubernetes workloads dependent on external validation
  • DNS failures triggering service outages
  • automation pipelines becoming critical infrastructure

What looks like "best practice" is actually:

tight coupling to external systems you do not control

At scale, failures aren't edge cases. They're inevitable.

Most internal systems should never have been using public certificates at all.

Public CAs solve a very specific problem: establishing trust between strangers on the internet. That is not your problem inside your infrastructure.

The False Choice

Most organisations see two options for managing certificates internally. Neither is ideal:

Enterprise PKI
  • powerful
  • expensive
  • operationally heavy
  • requires specialist expertise
Trust Control Layer
  • controlled
  • scalable
  • internal
  • policy-driven
ACME / Let's Encrypt
  • simple
  • free
  • easy to automate
  • designed for internet-facing

Neither was built for internal service-to-service trust at scale. So organisations compromise. And that compromise creates fragility.

What the Right Model Looks Like

The alternative is not "better certificate management." It's using the right trust model for the right system. That means:

Private CA for Internal Certificate Control

Owning identity internally–not renting it from a public CA
Issuing certificates based on policy, not just domain validation
Using longer-lived credentials where the threat model supports it
Enabling real revocation that works–not theoretical revocation that doesn't
Removing unnecessary dependency on external Certificate Authorities
Stop borrowing trust from the internet. Start owning it.

From Certificates to Identity

The shift isn't just operational–it's conceptual. When you own your trust model, certificates become an implementation detail, not the thing you manage.

Certificates

short-lived, rotating

Identity

stable, persistent

Policy

rules, trust, governance

Certificates change. Identity persists.

The shift moves from certificates → to identity. From renewal → to policy. From automation → to control.

Why This Matters Now: AI and Machine Identity

mTLS for Machine-to-Machine Authentication

AI agents are adding a new dimension to this problem. Autonomous systems that call APIs, trigger workflows, and make decisions are proliferating–and each one needs an identity. Not a shared API key. Not a service account password. A cryptographic identity that can be verified, scoped, and revoked.

mTLS provides exactly this: mutual authentication where both sides prove who they are before any data is exchanged.

Agent
mTLS →
Service
mTLS →
Service

API Key Identity-based trust

Without a trust model designed for machine identity, organisations will either over-provision access or create brittle authentication chains that collapse under pressure.

The Real Outcome

More automation and more tooling won't fix this. They'll manage the symptoms more efficiently–but they won't change the underlying dynamic. Every new service, every new environment, every new agent adds another certificate to track, another renewal to automate, another potential failure point.

Because the problem was never certificates. It was the trust model.

Final Thought

Certificate lifetimes will continue to fall. Validation windows will continue to shrink. The operational surface area will continue to grow. Organisations that treat this as an automation challenge will always be reacting. Organisations that rethink their trust model will build something fundamentally more resilient.

Not every system needs a certificate.
And most systems don't need a public one.