PKI 07-16-2026

PKI has changed. Has your strategy?

Jeremy Rowley

For years, PKI was treated as critical infrastructure that operated almost silently behind the scenes. Security teams deployed certificates, renewed them on schedule, and moved on. 

Now, every cloud service, machine identity, software release, connected device, and AI workload depends on trusted digital identities. As organizations expand their digital footprint, PKI has become operational infrastructure. 

Many organizations, however, are still managing PKI with processes designed for a much smaller environment. 

New research from DigiCert and Omdia highlights the disconnect. Organizations recognize the need to modernize. Yet many still lack the visibility, automation, and governance required to manage growing certificate inventories, adapt to shorter certificate lifecycles, and prepare for post-quantum cryptography (PQC).

PKI Under Pressure

Modernization starts with visibility

Our research found that only 34% of organizations have complete visibility into the certificates deployed across their environment. Without that visibility, even routine certificate management becomes more difficult. Unknown certificates have no clear owner, fall outside established processes, and often remain undiscovered until they expire. 

This is something we learned firsthand. When DigiCert began modernizing our own PKI environment, we estimated we managed about 7,000 certificates. Discovery revealed that we had more than 18,000. 

The number was surprising, but it wasn't the most important lesson. Before we could automate certificate management, strengthen governance, or prepare for future cryptographic changes, we first needed an accurate inventory of our certificate estate. Discovery became the foundation for every decision that followed. 

The effort also delivered measurable results. Automation and standardized lifecycle management saved approximately 1,500 hours each year while generating a 50% return on investment during the first year. More importantly, engineering teams spent less time managing certificates and more time delivering business value. 

PKI is an operational capability

The role of PKI has expanded well beyond traditional security infrastructure. Certificates support cloud platforms, Kubernetes clusters, APIs, software supply chains, DevOps pipelines, SaaS applications, and machine identities. Every new service introduces another identity that must be issued, renewed, monitored, and governed throughout its lifecycle. 

That growth changes how organizations need to think about PKI. 

Our research identified infrastructure complexity and cross-functional coordination as leading barriers to modernization. That makes sense. PKI no longer belongs to a single security team. Platform engineering, networking, application owners, DevOps, and security all share responsibility for maintaining trust across the organization. 

The organizations making the most progress aren't adding more manual processes. They're standardizing certificate management, establishing clear ownership, and embedding automation into day-to-day operations

That's what operational maturity looks like. 

Operational maturity creates crypto-agility

Most conversations about the future of PKI focus on PQC. The industry is also preparing for shorter certificate lifecycles, expanding machine identity programs, and new operational demands created by AI.

Those priorities all depend on the same foundation. Organizations can't migrate to quantum-safe algorithms without knowing where certificates are deployed. They can't manage shorter certificate lifecycles with manual renewal processes. And they can't scale machine identities without consistent governance and automation.

The organizations best prepared for future cryptographic change won't necessarily be the first to deploy PQC. They'll be the ones that have already built the operational discipline to adapt as requirements evolve.

3 priorities for security leaders

Modernizing PKI doesn't require solving every problem at once. Organizations that make steady progress tend to focus on the same foundational capabilities first.

  1. Know what you have. Discovery is the first step in every modernization initiative. Certificates can't be governed, automated, or protected if they can't be found.
  2. Define ownership. PKI spans security, infrastructure, networking, application development, and platform engineering. Governance works when responsibilities are clear and certificate management becomes part of everyday operations.
  3. Automate deliberately. Automation reduces manual work, but its value extends much further. It improves resilience, lowers the risk of certificate-related outages, and gives organizations the flexibility to adapt as certificate volumes and cryptographic requirements evolve.

Modernization is an ongoing capability

I've seen firsthand how quickly certificate inventories can outgrow expectations and how difficult modernization becomes without visibility and automation. The research shows many organizations are at that same inflection point. Building the right operational foundation today will make every future transition—from shorter certificate lifecycles to PQC—more manageable. 

To explore the findings in more detail, watch the on-demand webinar, PKI Under Pressure, where Omdia Principal Analyst Adam Strange and I discuss the research and share practical approaches to modernizing PKI. 

Subscribe to the blog